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(57) Abstract 

Discos*, are a system and a method employing a «f • JHgP*^^ 
fingerprint is employed as the secret key m . ^te^k^^nd a cental authentication sys.em coupled 

capture module on a mobile pereona ™f^~~ totonJon tha, associates each mobile identification 

to a convenuonal mob.le sw. ch ng center The ^"^ l w "^ t, ^,^ y cominunication is to ^ initiated, the central authenticate system 
number ("MIN") with a P«* ute "Vr^J^^Si ^ffiZn or the wireless phone using the stored fingerprint assorted 
engages in a challenge-response authentication ™* J^™^,"^^^^ mobile station will only be generated when the user's 

auLntication system, and only calls placed from authorized users are connected. 
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MFTHQ1) OK USING FINGERPRINTS TO AUTHENTICAT E WIRELESS 

COMMUNICATIONS 

Cross Reference to Rclntcd Annlicntions 

This application claims prioriiy from (I) US Provisional Patent Application No. 
60/025,947 filed September 1 1, 1996. entitled METHOD OF USING FINGERPRINTS 
TO ELIMINATE WIRELESS PHONE FRAUD AND TO ASCERTAIN A CALLER'S 
IDENTITY and naming Y. Li. D. R. K. Rao, and S. Subbiah as inventors, and (2) US 
Provisional Patent Application No. 60/025,949, filed September II. 1996, entitled 
EMBEDDABLE MODULE FOR FINGERPRINT CAPTURE AND MATCHING, and 
naming R. Rao, S. Subbiah. Y. Li, and D. Chu as inventors. Both ol* these applications 
arc incorporated herein by reference in their entireties and for all purposes. 
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Background of the Invention 

The present invention relates to security measures for wireless telephones or cellular 
mobile phones. More particularly, the invention relates to authentication methods 
employing biomctric information (e.g., fingerprints) to guarantee non-fraudulent use of 
20 wireless telephones or cellular mobile phones. 

As known in the state of the art, wireless telephones or cellular mobile phones are 
identified by mobile identification numbers (MINs) and electronic serial numbers (ESNs). 
Current protocols for wireless communication, cither placing or receiving a call, require 
both the MIN and the ESN to be broadcast through a standard common air interface (CAI) 

25 between the wireless telephone and a mobile switching center (MSC) for authorization and 
billing purposes. However, such information can be easily intercepted and obtained via 
specialized scanning equipment that is readily available. MINs and ESNs captured this 
way can be illegally programmed into other cellular phones for the purpose of placing calls 
that will be billed to the person that the MIN and ESN has been legitimately assigned to. 

30 This type of theft has become a common practice world-wide, and millions of dollars arc 
lost to the wireless service providers and law enforcement agencies (US S650 million in 
1995). 

Various methods have been proposed to solve this problem. One method 
(described in U.S. Pat. No. 5.448/760) proposes the idea of requesting a personal 
35 identification number (PIN) each time a call is placed. The PIN can be safely transmitted 
through a different channel. However, this inconveniences the user and many users even 
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forge, ,hc„ PINs. Ano.hcr method (described ,n U.S. Pat. No. 5.420.908) proposes 
monitori,,- each cus,omcr s hubi, or calling pattern (also known a, user profi.es) and 
Ick.ng :„y cans tha, do ,,o, fi, the c-^ previous ca„ing paucr, 
method suffers fro,, problem (I) .he calling pattern of a eus 10m cr ,s d.fficu 
5 accurately pin point (any time ,he calling pauern changes a legiumatc oU m,gh, be blocko* 
and (2) i, win no, successfully b.ock calls from phones that cont.nually change the MIN- 
ESN pair lhaL they employ. 

in ano,hcr mcUiod (described i„ U.S. Pa,. No. 5.420.90S ,ssued ,o Hodges and 
Rubenstcin and ,ncorpora,ed here,,, by reference,, a "chaUcngc response ' auUtcnticauon 
,0 scheme is proposed ,0 solve fraudulen, use in w.rclcss commun.cat.on. The proposed 
Ihod nrcludes a cen.rai au,h,„,icat,on sys,cm serv.ng several MSCs winch store a,, 
M.NS w,,h assoeia,ed seere, keys ,ha, are used ,o gcnera.e ,hc "chatoge response 
au,hcn,ica,,on. llav.ng one centra, authentication system for several MSCs eliminates the 
„ced for eross.svs.cn, access between d.ffcrcn, MSCs. However, for sccuruy reasons - 
power failure, computer hacker a„acks. natural d.sasters - there should be a, leas, one 
addlna, remote s,,e ,ha, ma.n.a.ns a nr.rror copy of the ccn.ra, au,, K n,,ca,,on sy« 
,deal,y backup commun.cauon between centra, au,hcn,,cation sys.em and , s mn.orts 
lw both ho. and cold backups ,o dy,,an„ca„y maintain idenuca, eop,es a, a tnnes. A„ 
MSCS commu„iea,c wUh .he centra, au,Ke„,,ca,,on p.utform .hrough , standard phone hue. 
^ method a.so rcouircs each wirc.ess phone ,o have a device w h ,ch contains speca, 
WorZion ,o -cncrl a correct response to a specific •■challenge -. .Each ,,mc that a user 
^ Tl li ar phone, the MIN and ESN are sent ,„ the MSC just as ,n the standard 
pro ceo, used , wireless commun,ea,ion ,oday. Tlrcn ,h= MSC sends ,he .nformauo 

£ « " cwork ,pstn) " ,,c : oi " c t 

!ln,ica,,on platform. The centra, sysicm then ,akes ,hc secret key wluch ,s assoc. ted 
IT ,e MIN and gcncra.cs a challenge which ,s sen, ,o the cellular phone , roug a 
If rent wireless forward channel. The cellular phone then uses its speca. nncrna, mod„,c 
"le a response ,o the challenge wh.ch is ,ben sent back to the MSC by w,re,^ 
means and then forwarded to ,he centra, system v,a standard PSTN l.nes. Tl,e ccnu. 
system .hen compares .he cellular phone s response ,0 the prcealculated response value „ 
expects. If the response is correct the use is au.hor.zed. 

Such a system has certain advantages and should improve security in wire.ess 
_,ca,,o„. AUhougl, no specific type of secret key was disCoscd in the 
,he sneeified seere. keys - including a su ing of spec.al mtegers • suffer major drawback . 
F r^omplcr systems are always subice, to i„,nadcrs*ackcrs. For example ,us, recent, 
22s 1 mud, celebrated case ofTsutomu Shimomura the network security exper, an 
T*Z* Kevin Mitnick ,he outlaw computer hacker (In Takedown by John Markoff and 
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T Shimomura. Hyperion Press: USA 1995). In the case of a break-in or even a suspicion 
of a break-in. all stored secret keys are rendered useless and all the keys need to be 
updated. This necessarily means that all the users have to visit their service prov.der in 
person and update their secret key. Second, if only one or a few keys arc stolen at any 
oiven time, the system would not be able to detect the theft until the end of each b.lhng 
evele (if even then). Third, the -challenge" is MIN-spccific. die thieves who capture the 
MIN and ESN through the air interface can also capture the "challenge" and its "response ■ 
and attempt to crack the secret key. While some encryption methods like RSA can be made 
very secure now. the powerful computers that can be expected to become widely ava.lablc 
in the future may allow secret keys to be cracked with the knowledge of multiple challenges 
and thcr responses. Still further, with the global computer connectivity. Internet v.ruses 
have become a major issue and almost every week there is a new virus that .s released, 
particularly from less developed countries. If the central authentication system gets mlcctcd 
and the files tampered with, as before, all users have to return to their serv.ee provider to 
■have a new secret key reissued. All these lour scenarios are quite likely to happen m our 
age of high-tech criminals and even-higher tech teenage pranksters. 

What is needed therefore, is an improved security system to protect against 
unauthorized use of wireless communications. The method and associated system should 
provide improved security and be easy lo maintain. 
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Summary o f Invention 

The current invention expands on the principles and protocols discussed above. 
The relevant extension involves using a token generated from biomctric information, the 
user's personal fingerprint in particular, as the secret key .in the context of a modified 
•■challen-c-rcsponsc" -scenario. As will. be explained, this virtually eliminates all of the 
drawbacks discussed above. Most generally; the invention involves the use of fingerprint 
matching to authenticate a call or other communication over a wireless communication 
network. The matching may be employed at a central location on the network, at the 
personal wireless device, or both. 

One aspect of the invention provides methods of authenticating calls to be made 
over a communication system. Typically, both a wireless source (e.g.. a mobile telephone) 
and a central authentication node that .nay service numerous nodes participate in the 
methods -- although each operates according to its own protocol. 
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An authentication method implemented on ihc central authentication node may be 
characterized by the following sequence: (a) determining that the call has been initiated from 
a source- (b) determining whether source fingerprint data provided from the source matches 
stored fingerprint data associated with the source: and (c) if the source ringcrpr.nl data 
matches the stored fingerprint data, allowing the call to be completed. Matching may 
involve separate matching steps ai both the source and the central authenticate node. It 
may also involve decrypting a challenge. In addition to the above baste steps, the 
amplication node may request that the source fingerprint data be provided from the 
source of the call. In the case of a mobile telephone system, the call imitated from the 
source mav be forwarded through any of a plurality of mobile switching centers to reach 
lhc eentral'aulhcntiealion node. That is. the central authentication node may serve multiple 
switching centers. In a preferred embodiment, the central authentication node accesses the 
stored fingc.pri..t data from a database that associates particular users' accounts w.ih ihc.r 
fingerprints. The fingerprint data (from the source or stored database) may be embedded m 
a token having a format making it difficult to extract the fii.gerpr.nt data. In one 
embodiment, that token format may be an intcr-mmuuac distance-vector-derived format 
such as one of the formats commonly employed in the art. 

In one specific en-.bodi.nenl. the method also involves (a) encrypting a challenge 
with the stored fingerprint data to produce an encrypted challenge; and (b) providing the 
encrypted challenge to the source for the purpose of decrypting by the source w,ih the 
source fin-cprmi data. The step of determining whether the source and stored fingerprint 
data match preferably involves (i) receiving a decrypted challenge from the source, wh.ch 
decrypted challenge had been decrypted with the source fingerprint data: and (.,) comparing 
the challenge with the decrypted challenge from the source. If the two match, then u ,s 
assumed that the stored and source fingerprints also .natch and the call is allowed to 
proceed. 

In a particularly preferred embodiment, the method involves a further security 
feature to avoid use of a stolen fingerprint token. This technique operates on the 
assumption that each time an individual gives a fingerprint, the print is slightly different due 

, lo the flexibility of the finger skin, the angle at which the finger is pressed down, etc 
Thus it is exceedingly rare that any two finger imprints from a given user w.ll be identical. 
Recognizing this, the method may require the following: (a) determining whether the 
source fingerprint data is identical to one or more instances of sample fingerprint data 
previously received; and (b) if the source and any one of the instances of the sample 

5 fingerprint data arc identical, preventing the call from being completed. 
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Authentication methods implemented on a source such as a wireless telephone (as 
opposed to the ccniral authentication center as described above) may be characterized as 
including the following steps: (a) transmitting a dialed number to a switching center on the 
communication network; (b) receiving a user's fingerprint (possibly after a prompt); (c) 
5 generating source fingerprint data from the user's fingerprint; and (d) if the source 
fingerprint data matches stored fingerprint data associated with user, completing the call. 
The source may itself determine whether the source fingerprint data matches the stored 
finecrprint data prior to completing the call. In the case of a w.relcss telephone, the - method 
may also include traditional calling steps such as transmitting at least one of an MIN and an 
10 ESN lo ihc switching center. 

In conjunction with the encryption technique described above for ihc central 
auihcniicaiion node, the source may perform the following steps: (i) receiving an encrypted 
challenge horn the switchinc center: (ii) decrypting the encrypted challenge with ihc source 
fingerprint data to produce a decrypted challenge; and (iii) transmitting the decrypted 
,5 challenge to ihc switching center, such that if the decrypted challenge is found to match an 
unencrypted challenge, .specifying that the source fingerprint data matches the stored 
fingerprint data (allowing the call lo proceed). 

A personal wireless communication device (e.g., a wireless telephone) suitable for 
use w,lh the auihcniicaiion methods of this invention may be characterized as including the 
,0 following features: (a) a wireless communications interface for sending and receiving 
wireless communications; (b) a device for capturing the user's fingerprint; and (c) a . 
processing device (e.g., a CPU) capable of converting the user's fingcrpr.nl to source 
fingerprint data which can be transmitted. Preferably, the wireless device incjudes- a casing 
and provided within that casing are both the device for capturing the user s fingerprint and 
25 the processing device. 

The wireless communications interface should be capable of sending the source 
fingerprint data lo a remote location. Preferably, it should be capable of sending and 
receiving fingerprint data over a data channel which operates at a different frequency from a 
communications channel which sends and receives the wireless communications. 

In one embodiment, ihc device for capturing the user's fingerprint includes: (i) a 
fingerprint capture surface on which the user can place his or her finger to produce an 
optical image of his or her fingerprint; (ii) an imager capable of generating an electronic 
image of the user's fingerprint (e.g., a CCD array or CMOS photodiode/photogale array) ; 
and (iii) optics for directing the optical image of the user's fingerprint from the finger print 
capture surface to the imager. In a preferred embodiment, the imager is a CMOS 
photodiode/photogate array which is provided on an integrated circuit together w.th the 
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orocc«in» Ocv.cc. In an alternative embodiment the device for capturing the user's 
nngerpnm includes an imager which does not require optics. Examples of such "opt- 
free" .magers include capacitor arrays or ultrasonic mechanisms formed on semiconductor 

substrates. 

The processing device should coma.,, the lope and resources necessary for 

' compann* .he source fingerprint »»' «»* " M '"f" «™ ' 

location.' Preferably. Ihc processing device should also be capable o, decrypting a 

challenge received from the remote location. 

AS noted the biomciric -challenge-response- authentication scheme of this 
,„ ,„ve„t,on preferably employs a central authentication platform serving several or all MSCs 
and wircll Phones. In this manner, the current .nvention seeks to prevent fraudulently 
placed wireless calls using stolen MIN-ESN information. 

Another aspect of the invention provides a central au.hcnhcatio,, system or node 
connected to a communications network and capaMc of rendering wireless eommunicat.ons 
,5 secure by processing biomcinc information from a user. Such centra authentication 
ystems may be characterized as including ,a> a communications interface lor scnd.ng and 
« ing d -a communications over „,c communications network: (b, a database inter ace 
for accessing a database containing stored fingerprint data associated w,,h users of wireless 
om unicahons devices; and (c, . processor capable of dctcn.ming whcUtcr a wire ess 
,0 communicanon from a wireless communications device shouid be permitted based u on a 
match between a fingerprint taken from the wireless communications <lcv.ee and stoied 
fingerprint data associated the wireless communications device. 

Often the communications interface will be coupled to a public switched telephone 
network such tha, the data communications are directed to one or more mobile switching 
, 5 ccntc on the nctwo*. The database - which may form part of the centra, auihcnuc* o, 
system - preferably includes, for a, least some of the wireless communications device . a 
pLa.it, of received tokens containing information from fingerprints taken at the wireless 
mlnications devices. The system then compares newly received tokens from a given 
w°Lss communion device w,„, the plurality of tokens for that wireless 
30 communications device. 

These and other features and advantages of the present invention will be further 
described below will, reference to the associated drawings. 
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u-;..r n.^.-ription »r H"- Drawings 

Figure I is a block diagram of various components of ihc present invention as it may be 
employed in a cellular phone system. 

Fi-urc -> is a representation of a MIN-challcngc key database table used to store tokens 
5 Horn biometric information in accordance with one preferred embodiment of .his invention. 

Figures 3A and 3B together present a process flow diagram depicting a sequence of 
events in a challenge-response authentication method of the present invention. 

Figure 4 is a block diagram depicting basic components of a fingerprint capturing unit 
and an associated wireless telephone in accordance with a preferred embodiment of the present 
10 invention. 

Figure 5 is a flow diagram depicting a fingerprint matching technique that may be 
employed with the present invention. 

Fig",- 6 is a block diagram of a central authentication system for processing biometric 
information from a mobile telephone in accordance with one embodiment of the present 
15 invention. 

n»,n;i..,l n^rrintion »r tho Preferred Embodiments 

The present invention is described herein in terms of a wireless telephone system. 
The .nvemion is not so limited. For all purposes of this current invenuon. the term 

.0 "wireless telephone- (or "wueless communication system") genetically will be understood 
to include cellular phones, personal communication systems, telephones, personal digital 
assistants, wireless personal computers, wireless notebooks, etc. using analogue or digital 
electronics technology. While the present invention is currently envisioned as providing 
substantial benefit to wireless communications, there is in principle no reason why it could 

^5 not be applied to communications generally. Any commutation that could benefit from 
authentication may be implemented with the present invention. Such communications 
include those made over a wire-based telephone system and employing an account code. 

The communications allowed over the communication system will sometimes be 
referred to herein as "calls." Examples of commun.catio.is (calls) within the context o. th.s 
invention include (a) analog transmissions such as telephone calls transmitting analog voice 
data over a wire medium or a wireless medium and (b) digital transmissions such as 
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packaged messages over a network (LAN. WAN. Interna, ele.) and digital vo.ee data 
over a wireless medium. Communications involving Poetized transmissions may be 
connection-based transmissions such as TCP or connectionless transm.ss.ons such as 

UDP. 

Fingerprint technology including hardware image capture, software image 
' processing. software/hardware for fingerprint data storage and software for nngcrpnn, 
n ,ys,s/comparison ts a rclative.y mature technology with over 20 years o « 
(see. for example. U.S. Pa, Nos. 2 952 .81. 4 151 512, 4 322 163, 4 537 484. 4 747 
147 5 467 403 each of which is incorporated herein by reference for all purposes). It ts 
10 well-known thai no two individuals possess the same identical fingerprint and that accurate 
matching techniques in conjunction wuh well-captured images can positively identity an 
individual. The tern, "fingerprint" as used herein refers to handprints, palmpnnts. and 
other unique skin patterns in addition to traditional fingerprints. 

The present invention .nay employ sophisticated hardware and software ,o allow 
„ npid fin-erprint based .dcnt.ficat.on as described in U.S. Provisional Application No. 
6 0 0O5 949 filed on September , ,. ,996. naming R. Rao. S. Subb.al, Y. Li A D. Chu as 
invent, and previously incorporated by reference. That application describes an 
ulcly small low-cost fingerprint capture hardware module that lends itself to ready 
Lemon ,mo many deviees. The referenced Prov.siona. Application was incorporated 
=0 Z reference" for all purposes and is i.lustrat.ve of the maturity of the fingerprint 

capiutc and comparison technology. 

FIG 1 shows an annarau. S lha. may be used lo process a wireless coll in 
accordance w,,,, .he p,mc,p,cs o, ,b= currcn, mvenuon. A r^. 
,-FCPD") 101 (such as .ha, described in U.S. Provisional Apphcauon No. 60/0.5.949 
„ Uv.o„s,y incorpora.cd by reference, w„h » on-board CPU fo, processing and 
" orison of ,h= cap.urcd nngeprin. image (see PIG. 4, is ««d ,o ,1k w.rclcss 
.elephonc 102. This connection, may be by any mc.hod. i.e. via a .elephonc modem or a 
da.a por, specifically bu,l..,n .o .be wireless .elephonc ,02 an acous,ic coupler or *. 
direc, .ncorporauon of UK fir.gcrprin. module .01 nuo ,he w.rclcss .elephonc 10 
M pLrably.L module ,0, can be ,ncorpora,cd w,,hin .clcphonc ,02 such ,ha, a s.andard 
mobile .iphonc easing may house all clccronics for opera.io„ of .he .elephone and 
fingerprin, processing. In an especially preferred embodimcn,. .he dcc.ron.es or 
ZL- bo.b .he r,n s erpr,n,s and .be ,e,epbone calls are provided on a s,ng c ,n,cgra*d 
Z! e„r p . This ma k cs i, espec,a„y difneu,. ,o .ampcr wUh .be sys.cm by for example, 
35 in.crccp.ing Signals l*.wccnr,n S c,pri,Hcap,ur,ng module ,01 and .elephonc ,02. 
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In one embodiment ol' ihc invention which employs a protocol similar to that ol 
conventional wireless systems, each phone is provided with a MIN and ESN. When the 
user dials a telephone number using a keypad 112 on the wireless telephone 102, the MIN. 

ESN. and the number of the party being called is transmitted to a Mobile Switching Center 
(MSC) 103 of a wireless carrier 104. In response. MSC. 103 performs the standard 
verification ol the MIN and ESN as well-known in the art (sec. for example, in Wireless 
Communications, by T. S. Rappaport. 1996. Prentice-Hall which is incorporated herein by 
reference for all purposes). If the MIN and ESN belong to a special group of users who 
have previously requested the additional layer of fingerprint based security with their 
»ervicc. the MIN and ESN arc sent to a Central Authentication System (CAS) 106 via a 
public swnched telephone network (PSTN) or Internet 105 to avoid direct access of CAS 
106 through the air interface. This provides additional security for the CAS. 

In response to the MIN being forwarded by MSC 103. CAS 106 looks up us built- 
in MIN-Challcngc Key Database (MCKD) 107 and retrieves an appropriate Challenge Key 
(CK 202, FIG. 2) that is associated with that particular MIN. The CK 202 is a token thai 
has been derived Trom the user's fingerprint when the user first registered the purchase of 
" his/her phone scrv.ee. The CK 202 is then used to encrypt a "challenge" that is generated 
by the CAS 106. The challenge that is formulated by die CAS 106 is different each time 
when it is accessed by the same or different users. The CK 202 and the encrypted 
challenge arc then jointly sent to wireless telephone 102 through any available forward 
voice channel (FVC) or forward control channel (FCC) for example. 

After reception of the challenge from CAS 106 by wireless telephone 102. the 
challenge is forwarded to FCPD 101 as detailed n, FIG. 4. The users fingerprint 
information could have been requested by FCPD 101 either before this point and alter the 
user entered the number of the called parly, or at this time point itself A token, which in 
one embodiment could simply be an encoded collection of a set of unique minutiae/features 
found in the fingerprint.' is then generated based on the fingerprint information captured 
locally by FCPD 101. As well-known in the art of fingerprint, matching, a fingerprint from 
any individual is unique to that individual and therefore the variety of slightly different 
tokens (tokens can differ by a feature or two without any loss in uniqueness) that can be 
generated can only come from that individual. This is then compared with fingerprint- 
based token CK 202 that was received from CAS 106. If there is a match or the tokens, 
the encrypted message is decrypted by using token CK 202 received from CAS 106. In 
other embodiments, cither or both tokens could be used to decrypt the challenge. A 
response (the decrypted challenge) is then sent back to MSC 103 through any of the 
available reverse voice channels (RVCs) or reverse control channels (RCCs). This is then 
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forwarded via PSTN or Inland 105 (for additional security one may limit use ol the 
common air interlace as much as possible) back to CAS 106. 

The response from FCPD 101 lo CAS 106 contains both the decrypted message 
and a token that is generated from the fingerprint image the user supplied. If (I) the 

5 received decrypted message matches the expected response (i.e.. the original unencrypted 
challenge that had been temporarily stored in CAS 106. as detailed in FIG. 6) and (2) the 
token received from the FCPD 101 matches the CK 202 in the MCKD 107. the call is 
authorized and connected. This double matching method will reduce false positives. It will 
also prevent any illegal attempt that relics only on a decryption of just the encoded 

10 challenge. 

It is important to note that tokens generated from the same finger vary every time 
the fingerprint is captured. In a preferred embodiment, if the token sent from FCPD 101 
( .via wireless telephone 102) is identical to that in the database (CK 202) the call will not be 
authorized, since it is extremely unlikely that the exact same token will be generated in 
15 subsequent image capture of the same finger. Presumably, such exact token matching will 
only happen if the token had been illegally captured and is being used for illegal access into, 
the phone network. In this embodiment, the database may store up to a prc-spccificd 
number of tokens sent by user from wireless telephone 102. If the- most current token sent 
from the user is identical to any token from this list, the call is also blocked, since this may 
20 indicate the interception of a particular token sent from user to CAS 106 and used illegally. 
This is a major advantage of the current invention since the token CK 202 used for 
encryption (in other words the secret key that is central lo all 'challenge-response 1 
authentication methods) can itself be broadcast over the common air interface or even made 
public. Thus the secret aspect of system described, in the above-referenced Hodges and 
25 Rubcnstcin patent may be avoided in one embodiment. To reiterate, by blocking exact 
matches between a newly generated token and a stored token (one embodiment of this 
invention), the illegal capture of the token CK 202 does not enable third-parlies to 
fraudulently initiate calls. This is a clear and substantial advantage over the prior art, and 
derives from the fact that personal biomctric information is being used lo generate secret 
30 keys. 

A further advantage is the token's resistance lo corruption due to wireless noise. In 
one embodiment, a loss of a few features of the minutiae set from the token will still leave, 
sufficient uncorruptcd features to allow unique matching against another token derived 
from the same finger. One could therefore expect a "fuzzy" (non-dcicrministic) set of 
35 minutiae, that will give unique matching. Another advantage of the current invention, 
derives from the fact that the CK 202 tokens can be made public with no ill effects. Thus if 



10 



X3CIO. <WO_981 1 7SQA2. 1 _> 



PCTYUS 97/1 6094 

WO 98/1 1750 

the database MCKD 107 is stolen or attacked by computer hackers and viruses, as long as a 
backup copy of the database MCKD 107 exists at a remote and secure mirror-site, there is 
no lasting negative consequence (so long as exact matches with prior stored tokens require 
that a call be blocked). 

5 FIG. 2 shows a typical structure Tor the MIN-Challcngc Key Database 107 

("MCKD") in accordance with one embodiment of this invention. A CK 202 is stored in 
association with each M1N 201. Additional instructions or restrictions on the use of each 
M1N 201 can be stored in a special instruction section (SIS) 203. These may include for 
example, blocks on long distance calls to certain localities, restrictions on calls over a 

,0 certain dollar amount, etc. In addition. MCKD 107 includes a column 204 for storing 
recently received lokcns from FCPD 101. Anytime that a received token exactly matches 
one of the tokens stored in column 204. the call may be blocked. 

The CK 202 is a token thai is generated from the fingerprint that the user initially 
provided when registering with the phone company. This token contains information 
,5 pertinent to the fingerprint minutiae information that has been embedded so as to ensure that 
if stolen il would not lead to a loss of the original fingerprint itself. 

Since fingerprint images vary slightly from print to print, such tokens from the 
same fin-cr at repealed times will be different. Also, depending upon the format ol 
nn-crprim minutiae in the tokens, .wo separately generated tokens of the same pnni w.ll 

20 .J from the outside appear similar - only when fingerprint matching algorithms .or 
comparison a,c applied to bolh tokens generated from different impressions ol the same 
fin-cr can bolh tokens be deemed lo be from the same fingerprint. Thus simple possession 
of a token from a given fingerprint will not enable anyone to generate other different tokens 
corresponding to a different fingc.pri.it impression from the same finger. This renders the 

25 method very robust and tamper prool. 

Token matching first requires extraction of the fingerprint minutiae from the token. 
These arc then compared by matching their two-dimensional coordinates. ir the 
coordinates match lo within a defined tolerance, the lokcns are deemed a match. As 
explained below, lokcns may be provided with a timestamp as an extra security measure. 



30 



35 



As known in the state of the art. many fingerprint matching schemes involve the 
generation of intcr-minuiiac-bascd keys (i.e.. distance vectors, etc.) that while being generally 
similar will vary between multiple impressions of the same finger. Various i„tcr-m,nui.ae 
distance-vector-dcrived formats are known in the art. Many of these (as well as variations on 
them) may be suitable for generating keys in accordance with this invention. Such keys may. 
of course also serve as tokens such as CK 202 in this invention. Suitable matching schemes 
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arc described in. for example. US Patent No. 4,747.147 issued to Sparrow on May 24. 1988. 
US Patent No 5.493.62) issued to Matsumura on February 20, 1996. and information 
prov.dcd at the World Wide Web site www.Luccnt.Co.WP.css/0597/minul.GAF. Each ot 
these documents is incorporated herein by reference for all purposes. A typical desenpuon o. a 
processed fingerprint is a list of x. y and an S le tabulation of each m.nut.a. Minor .nod.hcat.on 
,o these linear values (e.g.. adding slight random displacements) will still reflect the same 
underlying -nngernrini. allowing for variation during multiple impresses (e.g.. slight 
distortions and rolling during the pressing of the finger). Thus, using straightforward m.nuuae 
tabulations as tokens is susceptible to minor modification that could result in illegal phone 
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A different and frequently used description of fingerprint information >s the inter- 
minutiae distance vector information. Such descriptions are inherently non-linear .n nature and 
so when tabulations of these are randomly or systematically modified (i.e. without explicit 
knowicdec of the inherent non-linearity) in minor and linear ways, the new modified tabulation 
will not," in general, reflect the underlying original fingerprint, even when allowing lor 
variation between multiple impressions of the same fingerprint. 

Thus use of such inicr-minuiiac distance- vector-derived keys (tokens, for matching 
purposes will foil wireless fraudsters who may somehow illegally capture the transmuted 
and encrypted fingerprint information and try to use the exact same keys to fraudulently 
activate phone cans. That is. in general legal phone use. one expects the transmitted 
fingerprint keys to be somewhat different each time, and different in a way that makes 
sense with respect to the fingerprint. - In ..legal use, where the encrypted keys are captured, 
decrypted and rc-transm.ttcd. the repeated use of a set of exact same .den.ical keys can be 
readily detected. Anv minor modification of the keys, without specific prior knowledge ol 
non-linear relationships in order to be true has to be compatible with the true finge.pr.nt and 
thus leading to the detection of such fraudulent use. 

The advantages of using a central authentication platform and a "challenge- 
response" authentication method are described in U.S. Patent No. 5.420.908 described 
above However, the "challenge-response" authentication suggested in that patent Alters 
significantly from the current invention in at least two ways: First, the patent suggests a 
shared secret key (S-key) between the wireless phone and the centra, authentication system 
This necessarily requires a specialized memory chip that can store the S-key to be pari o. 
the wireless phone itself. Therefore, in the event that the wireless phone is lost or stolen. 
i,lc,a. calls can be made from the phone unless special instructions to block such newly 
illegal calls have been sent to the central authentication system. The current invenuon >n 
contrast, relies on information that is stored at the user's fingertips itself, and therefore 
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docs noi require' ihc wireless phone unit itself to store any secret key/information. 
Consequently, a stolen or lost phone cannot be used illegally. Second, the challenge- 
response method described in the '908 patent docs not transmit the S-kcy itself over the air 
interface. The present invention may allow transmission of the "secret" key through the air 
5 interface; because the present challenge-response authentication scheme is not dependent oh 
the ".secret" key per sc. In a preferred embodiment, however, the key (CK 202) is kept 
secret by some acceptable technique such as sending the challenge and response over 
variable channels unrelated to the voice transmission and/or providing additional encryption 
of the keys themselves. 

l0 By using personal biomciric "information, like fingerprints, the present invention 

may overcome the major drawbacks of the generic ■■challenge-response" authentication 
schemes as typified by the '90S patent method. 

FIGS. 3A and 3B present a flow chart of one typical sequence of events in a 
"challenge-response" authentication ol tins invention. The user begins the process at a step 

,5 300 by dialing a telephone number using the keypad 1 12 of the wireless telephone 102. 
• The MIN. ESN. and the phone number of the party being called arc transmitted to MSC 
103 at a step 301. At a branch point 302. as in a conventional system. MSC 103 either 
confirms the legitimacy of the M1N-ESN pair and goes to a next step 303. or blocks the call 
at a step 3 1 5. At a branch point 303, the MSC determines if the user of the MIN requested 

-0 additional security. If the result is NO. the call is connected just as routinely done in a 
conventional system at a step 3 1 6. If the result is YES. the MIN is sent to the CAS 1 06 at 
a step 304. 

In a step 305. CAS 106 accesses MCKD 107 and requests token CK 202 that is 
associated with the MIN. CAS 106 then gcneraies a challenge that is different each time. 
25 This, is then encrypted with the lokcn 202 in a step 306. The CAS 106 sends lokcn CK 
202 and the encrypted challenge to the wireless telephone via a step 307 using PSTN or 
Internet 105. Additional layers of security can be added to ihc encrypted challenge and CK 
202 if so desired. For example, the encrypted challenge can be sent to the mobile wireless 
phone over a different wireless forward channel. 

30 In a step 308. the user gives his/her fingerprint to the FCPD 101 and this is used to 

venerate token. In certain variations, step 308 can be performed at any point after step 301 
and the generated lokcn stored in a memory 404 (FIG. 4). After the encrypted challenge 
has been sent to phone 102 and a lokcn has been generated from the user's fingerprint. 
FCPD 101 compares the generated token with the token it received from the CAS 106 at a 

35 conditional brunch point 309. If they do not match, the call is blocked at a step 315. In 
one embodiment, whenever a call is blocked the token sent by FCPD 101 of the caller s 
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fingerprint can be forwarded via MSC 103 through CAS 106 and specially stored Tor later 
criminal investigation ol fraudulent phone use (step 318). If they match, the token received 
from CAS 106. or in other embodiments both tokens (including the one generated at the 
phone), is used to decrypt the challenge sent from CAS 106 in a step 310 (begin FIG. 3B). 
5 The FCPD 101 then sends both the now-decrypted challenge and the locally generated 
token (from the user s fingerprint captured on FCPD 101) back to CAS 106 by way of 
MSC 103 via a step 311. 

Generally, the invention's direct mapping of individuals personally to the phone 
calls they make also allows the mapping of callers who attempt unsuccessful break-ins into 
10 the wireless phone system. Permanent records of the tokens generated from the 
fingerprints of callers attempting illegal entry can be kept, if desired, for further criminal 
investigation. More importantly, the mere idea of the potential of being caught when 
illegally using someone else's phone may greatly reduce phone fraud. 

After receiving the decrypted challenge from FCPD 101, CAS 106 compares it with 
15 the challenge stored in a CAS temporary memory 607 (FIG. 6) at a conditional branch 
point 312. If the match is not successful the result from step 312 is NO and the call is 
blocked at a step 315 and then step 3 1 3 may be permitted if so desired, ir there is a match 
the result is YES and the process moves on to a conditional step 313. At this step, CAS 
1 06 compares the token generated from the user's fingerprint captured and sent by FCPD 
20 10! to one or more stored in its database 107 at column 202. ir these tokens do not match, 
the call is blocked, again at step 315 and step 318 is optionally performed. This second 
matching of the tokens (note that they were initially compared at step 309) is provided for 
additional security and may be dispensed with if desired. 

Next, at an optional decision step 320, CAS 106 compares the token received from 
25 FCPD 101 with one or more stored tokens which were previously received from FCPD 
101 and CK 202. These previously received tokens are preferably those stored in column 
204 of database table 107. If it is found that the most recently received token exactly 
matches one of the tokens stored in columns 202 and 204 of database 107. the call is 
blocked at step 315 (and sicp 318 is optionally performed). As noted above, tokens arc 
generally not identical \( they capture a fingerprint with sufficient resolution because each 
fingerprint from a given individual will vary slightly (e.g.. the minutiae may be slightly 
offset from one another). To ensure authentication in the case where a given individual 
actually docs give two identical legitimate tokens, the system may only block the call ir two 
or more successive tokens exactly match one or more or the stored tokens. 

35 If the tokens match at step 313 but not identically (optional step 320). the call is 

authenticated ror connection at a step 314. Thereafter, at a step 316. the process returns to 
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ihe routine present-day calling proiocol lo complete the connection. If needed, allowance 
for failed authentication due to severe token corruption from wireless noise etc.. can be 
made by having the proiocol automatically re-try the entire procedure at step 304. The 
entire process exits at a step 317 and ends the illustrated flow-diagram. 

In a rurlher preferred embodiment, the format of the embedded fingerprint minutiae 
contains a timcslamp specifying the lime at which the user's fingerprint was taken. The 
CAS would then deny access ir the timcslamp was not from an appropriate window in time 
(chosen to allow for a reasonable delay between transmission of the challenge and receipt 
of ihe newly generated fingerprint token). If a person should intercept the user's 
fingerprint token, not only would he/she have to extract the fingerprint minutiae, but he/she 
would also have to properly update the timcslamp in order defeat the system. In some 
embodiments, the CAS only checks for timcslamp, rather than examining the newly 
received token for an exact match lo some multiple previously received tokens. 

FIG. 4 is a diagram presenting one embodiment of the FCPD 101 and its 
interconnection with the wireless telephone 102 (FIG. I). The illustrated FCPD 101 
• contains a fingerprint imager 417 for converting a fingerprint from a finger 4 15 into an a 
fingerprint image. FCPD 101 also includes a CPU (central processing unit) 401 ihat can 
supply all the computational needs of the ••challenge-response" authentication process, and 
more importantly all necessary processing or fingerprint images and their subsequent 
comparison. An interface port 402 and a data bus line 403 arc together capable of -handling 
all the communications between various pans of FCPD 101 and wireless telephone 102. 
This includes all types of serial interfaces and voice channels for transmitting, and receiving 
data. A memory module 404 stores al least those items necessary to the operation of FCPD 
101 including: I) a software program 405 which. contains program codes for fingerprint 
image processing, matching, decryption of the challenge, and the ■generation of responses; 
and 2) a response storage unit 406 which temporarily stores the response before sending ii 
to the CAS 106. 

CPU 401 can be any suitable integrated circuit or electronic design including 
mullichip modules and circuitry formed on primed circuit boards. If it is an integrated 
circuit, it may a general purpose microprocessor, a logic device such as an application 
specific integrated circuit (ASIC), etc. Examples of suitable ASICs include gate arrays, 
simple and complex programmable logic devices (PLDs). digital signal processors (DSPs), 
and field programmable gate arrays (FPGAs). 

In one embodiment, fingerprint imager 4 !7 includes a fingerprint capture surface 
35 such as a window or capacitor array which produces an image of the user's fingerprint 
when the user places his or her finger thereon. In addition, imager 417 includes the optics 

15 
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necessary dirccl an optical image of ihc fingerprint onto a solid stale imager which also 
forms part of fingerprint imager. The solid state imager, which is preferably a CCD array 
or a CMOS photodiodc/photogate array, generates an electronic image of the user's 
fingerprint. If the soiid stale imager is a CMOS photodiodc/phoiogaic array, il may be 

5 provided on single integrated circuit together with processing logic such as CPU 401. 
Further details of suitable optical fingcrprim imagers arc provided in U.S. Provisional 
Application No. 60/025.949. "EmbcUdabic Module for Fingerprint Capture and Matching." 
filed on September II. 1996, and naming R. Rao. S. Subbiah, Y. Li & D. Chu as 
inventors. In an alternative embodiment, imager 4 17 may be a capacitor array formed on a 

l0 semiconductor substrate such as that described in the May 22, 1997 edition of the San 
Francisco Chronicle. "New Chip Verifies Fingerprints" which pertains to a product of 
Vcridicom Corporation. In another alternative embodiment, imager 417 may be an 
ultrasonic mechanism formed on semiconductor substrates. 

It is important to note here an advantage over the ■■challenge-response" 
,5 authentication method presented in U.S. Pat. No. 5.420.90S (referred to as the Secret- 
Key). In the present invention, "key" need not be persistently stored in the FCPD 101 
module. Therefore the wireless telephone cannot be used by any other user even when it is 
lost or stolen. 

In a preferred embodiment, telephone 102 is a conventional wireless telephone. It 
20 communicates with FCPD 1 0 1 over a connection line 407 which may be a parallel or serial 
connection. Telephone 102 may contain a key pad 41 1, all necessary . telecommunication 
functions 413 (including a stored MIN and provisions for generating a dialed number from 
key pad inputs), data bus lines 412. and an interlace port 410 for communicating with 
FCPD 101 (over connection line 407) and with wireless stations such as an MSC. It is 
25 important to note that interface port 410 should be capable of interfacing not only voice 
communication signals (l or standard mobile phone operation), but other communication for 
control between the CAS 106 and the FCPD 101 to complete the "challenge-response" 
authentication. In a preferred embodiment, interface port 410 is capable of sending and 
receiving fingerprint data over a dala channel which operates at a different frequency from a 
30 communications channel which sends and receives the wireless communications (e.g.. 
voice data). 

Preferably, FCPD 101 is integrated directly within the casing of a conventional 
wireless telephone or other communication source. The only distinction being the presence 
of a fingerprint capture window on the side of the telephone and accessing imager 4 1 7. In 
35 an especially preferred embodiment, a single integrated circuit provides most of the 
functions of FCPD 101 and telephone 102. These functions include, for example, CPU 
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401, memory 404, and telecom functions 413. As functions from both FCPD 101 and 
telephone i02 arc provided on the same chip, interlace port 402 and connection line 407 arc 
not required. A modified version or interface port 410 having only the functionality 
necessary to communicate with other wireless stations (not FCPD 101) may be employed 
5 on the integrated circuit. This single chip embodiment has the advantage an extra layer of 
security as thieves will be unable to directly monitor signals crossing connection line 407. 

If fingerprint imager 417 is a CMOS imager, it may integrated with other 
components on the integrated circuit. If imager 4 17 is a CCD array, it typically will have to 
be provided on a separate chip. 

10 Suitable design parameters of FCPD 101 can be specified based upon the general 

requirements of fingerprint analysis and matching algorithms. A typical human fingerprint 
has an aspect ratio of about three to two; that is, it is one-half times as long as it is wide. 
The average fingerprint has about 50 ridgclincs separated by intervening valley lines that 
are about equally as thick. Generally the lines run from left to right and as they do they 

15 first traverse upwards and later downwards. Given this amount of information, the Federal 
Bureau of Investigation has suggested that fingerprint detection systems should provide an 
array of 5 12x512 pixels since it allows for at least four pixels per ridgcline and four per 
valley line. Preferably, though not necessarily, the imager employed in the FCPD 10 1 
contains an array of at least 512x512 pixels. Using sophisticated fingerprint imaging 

20 algorithms such as those described in the abovc-rcfcrcnccd US Provisional Application 
60//025,949, significantly smaller arrays can be employed. In one embodiment, the array 
may include 240x160 pixels or, in anther embodiment. 120x160 pixels. The use of such 
small arrays has the advantage of requiring (1) less processing resources from CPU 401 
and (2) less space from memory 404 during processing of a. large array of fingerprint data. 

25 Accurate fingerprint matching technology, which is well-known in the art (sec. for 

example, U.S. Pat. No. 2 952 IS I, 4 151 512, 4 322 163, 4 537 4S4, 4 747 147, 5 467 
403 which were previously incorporated by reference), has for over a hundred years relied 
on the extraction and subsequent comparison of specialized features called minutiae. 
Minutiae arc essentially of two equally frequent types - cither the abrupt ending of a line in 

30 the middle of the fingerprint or the fusion of two lines to create a Y-shapcd junction. 
Typically there arc about 60 or 70 such features in a fingerprint and it is the relative location 
of these from each other that creates a unique spatial pattern that statistically no other human 
can possess. 

Suitable methods of fingerprint matching may involve software processing steps as 
35 illustrated in FIG. 5. After capturing the fingerprint image (step 501), a contrasting 
algorithm (step 503) reduces all the gray shades of a captured image 502 to either black (for 
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ridgclincs) or while (lor valley lines) as shown in image 504. Traditionally these 
algorithms arc omni-dircctional. Basically, the particular shade of gray at each pixel is 
compared wiih ihosc of ihc neighboring pixels in all directions and if judged to be relatively 
darker than most of its neighbors it is deemed to be black, otherwise white. After this 

5 contrasting step, the contrasted image 504 is further processed by a thinning algorithm 
(step 505). The object here is to reduce the black lines from being on average four pixels 
thick to only one pixel thick, thereby increasing the number of while pixels substantially. 
A thinned image 506 is then examined by further algorithms (step 507) that attempt to 
deduce and accurately extract the minutiae and their locations as shown in a map SOS. The 

,0 process is then completed at 509. All further fingerprint matching/comparison often relics 
primarily on these 60 or 70 extracted pieces of information. 

Central authentication system (CAS) 106 is preferably, though not necessarily, 
provided as a server or other node connected to one or more MSCs over a public switched 
telephone network. CAS 106 may also have wireless connection to an iMSC or may even 
,5 form a part of the MSC. Generally. CAS 106 must be able to generate and compare 
challenges, access a database of fingerprint based tokens, and communicate with a plurality 
of wire'ess sources (e.g.. mobile cellular telephones) via the one or more MSCs. 

FIG. 6 is a diagram of CAS 106 in accordance with one embodiment of this 
invention. The design is superficially similar to the FCPD 101 (and the design presented in 

20 U.S. Pat. No. 5,420.908). Connected to CAS 106 arc PSTN 105 and MCKD 107. CAS 
106 must be able to handle, simultaneously, many calls from many wireless carriers. It 
includes a memory 605 including a persistently slorcd program 606 and various 
temporarily stored items including a challenge 607. a response token 60S. and a decrypted 
message 609. Program 606 contains the instructions for generating a challenge, encrypting 

25 the challenge with a fingerprint based token, validating a decrypted challenge (e.g.. by 
comparison with the generated challenge), fingerprint matching based on tokens, and. in 
some embodiments, comparing a response token with one or more slorcd tokens and 
further assuring dial tokens aic not identical as that would imply illegal use. Response 
token 60S is a memory entity containing the token sent back from the FCPD 101 in ihc 
30 wireless telephone 102 before token matching is conducted. When a new token is prov.dcd 
from FCPD, slorcd token is updated. 

In addition. CAS 106 includes a CPU 602 for controlling ihc execution of a 
program 606, accessing memory 605, communicating with the MSCs over the PSTN. 
Communication over the PSTN is provided through a data interlace 601 in CAS 106 winch 
35 is connected to the PSTN over a line 105. In addition, CAS 106 communicates with 
MCKD database 107 through a database interface 603 as shown. CPU 602, memory 605. 
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database interface 603. and data interface 60! arc communicate with one another over a data 
bus 604. 

In a preferred embodiment, the initial registration of ihc phonc-owncr's fingerprint 
at the CAS 106 to create the appropriate entry into the MCKD 107 need not require the user 
5 to visit the central phone service provider. When the phone-owner purchases or rents the 
wireless phone at any local phone store he or she can use the FCPD 101 on Ihc newly 
purchased wireless telephone 102 itself to activate registry ai the CAS 106 via the common 
air interface and MSC 103. The phone s ESN and MIN can be sent along with the owner's 
fingerprint and placed in the CAS database for future use. 

1U J,, yet another embodiment of the present invention, multiple users can be permitted 

to use the same wireless phone. All that is required is that the MCKD 107 at the CAS 106 
be allowed to contain multiple CKs 202. one generated from each user of the same phone. 
Such authorization can in principle be activated/initialed by the phone owner serving as a 
master user who can at any time recruit additional users to be able to use their phone. By 

15 activating appropriate buttons on ihc phone, the master user can in principle activate the 
phone and the CAS 106 to receive a newly recruited user's fingerprint for association with 
the master user s entry in ihc- MCKD 107. The master user can remotely authorize this 
action by simply validating it with his/her fingerprint. Again by engaging a pre-defined 
sequence of buttons on the phone the master user could also in principle remove previously 

20 authorized co-users. 

In a further embodiment of the present invention, the phone owner could use more 
than one fingerprint as a means to authenticate his/her identity. The MCKD 107 can be 
arranged to contain information regarding more than one fingerprint of the owner. In fact, 
if additional password-like security beyond fingerprint security is desired, the owner can 
25 provide multiple fingerprints from different lingers in a particular secret order. This can 
serve as a "password" known only to the owner. 

In one use of the current invention, the traditional MINs and ESNs associated with 
wireless phones arc no longer required. The wireless telephone 102 will have an integrated 
FCPD 101. When a user dials a number, the number of the parly being called and the 

30 token generated from the fingerprint of the user on the FCPD 1 0 1 will be sent to the MSC 
103 and then forwarded to the CAS 106 for authentication based only on the fingerprint 
token of the user for billing and authorization purposes. Because each fingerprint token 
generated from the same finger will be different, a token intercepted from the common air 
interface can not easily be used for fraudulent use of wireless telephones. If a particular 

35 token generated from a fingerprint is captured illegally from the air interface and 
subsequently used repeatedly to authorize illegal calls, this can be detected very easily by 
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l„s L ! "cncra,cd Hon, ,l,c same f,n S crpr,n, Because such vanauons ,n ,he S ene,a,ed 
STS»e ,0 lhc way fin g erpr,n, ,nforma,ion « dis.ribu.ed on .he finger ,,sc„. ,hcsc 
vatior anno, be ,,eancd tan, .llc 8 a„y cap,ur,n S one **» — from ,hc common 
, " ".a, .J. -okens 6 c„cra,cd from ,hc same flnJ-pH* a, diffcrcn, ,mprc S ,ons 

rCPD H>, will va, 7 so ,ha, mere., l.avin s illegally capuued one o, ,l,esc — 

:;:rje „, r'„;:;::;: 
l0 :;r,nve„ u ;n «. ^ „, ^ „ u, „ y ^ *». . r 

calls. 

,„ anome, use of Ihc currcm mvcniion. ,hc .dcn.uy of the use, can be au„,cnuca,cd 
for ,„e ^ose of ,dcn„fvin S .he eaUer's persona, idcn.ny ra,hcr ,han merely , e ph ,K 
ZLc caller inmarcd ,he call - i.e. ,l,e source ,crmi„al-ID. In one emboduncm of 
numbc, horn me e^u nm ^ ^ dclcmmcd by 

' S T c" b 'i: ,v a l -o ,hc cal, conrro, e„,uy or ,hc rcc.picn, of rbe call. 

» f L or "r knowled-e of who Ac caller is (and no, .us, merely wba, phone number 
Based on the pnoi knowicu 0 c u 

,hc caller is calling from) .he cal. recipient may elect .o block the 
authenticated as being non-fraudulent at step 3 14. 

The current invention also provides a method for the identification of the caller 
M The cmrcnt ». ^ (wncre lhc 

phone numbci ol mc c.iuci ^ \w> c -aIM 
L,p,en, of ,hc phone can ,„ a ^^J^^^^Z real,, 

II ,o capuarc/comparc f.ngerprin, .nformadon and commun,ca,c w„„ an MSC 
llion can allow ,he caller ,o be personally iden,,fied ^ ' ^ 

u~ ^ m ihc call control entity or the recipient for call scrccnin e oi 

authenticated for an even higher level of security in phone networks. 

As mentioned, the technology described herein may be employed in contexts other 

invention may be employed to ensure 
*" w r s-uri,, sysrem. M»,y auromobiles now cmp,o, 

"^TX. ^ -no,e con.ro, of doo, loc.ine. au,omo,,ve alarm sys.cms. 
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can unlock ihc car doors or activate/inactivate other car systems before actually reaching Ihc 
car This is accomplished with the. click of a button on a wireless control module. 
Unfortunately, if such a module falls into the hands of a th.cf (or if the wireless signal is 
illegally captured through the air and decoded), he may be able lo circumvent the car's 
security mechanism(s) and obtain control of the car. The present invention provides a 
mechanism to protect against this possibility. 

Wireless car security systems of this invention may employ a wireless control 
module (source) containing the logic necessary for capturing and transmuting a token based 
upon a user's fingerprint. The logic may be contained within a module as described above 
with reference to FCPD 101. Generally, the vehicle itself may provide most of the 
functionality described above with reference to CAS .06. Of course, it need not provide 
access to a PSTN or database 107. However, it should include a finger pnnt token ol the 
car operator and possibly multiple recently received tokens so that access .nay be blocked .f 
the token exactly matches a received token. 

The vehicle protection mechanism of this invention may operate as follows. First. ' 
ihc system on board the vehicle determines that a request for access to the vehicle has been 
'initiated from a wireless source. Next, the vehicle system determines whether the source 
fingerprint data provided at the wireless source matches stored fingerprint data provided lor 
the vehicle Access to the vehicle is then permuted (e.g.. car doors are unlocked) ,f the 
source fingerprint data matches the stored fingerprint data. In some embodiments, the 
wireless source may prompt its user for a fingerprint from which to generate the source 
fingerprint data. 

In especially preferred embodiments, a full challenge-response protocol as 
described above with reference to Figures 3A and 3B is employed. This .nay involve 
venerating an encrypted challenge from a challenge and a token based on the fingerprint 
data stored with the automobile. Then, the encrypted challenge and the stored fingerprint 
token are sent lo the source where the stored and source fingerprints arc compared. If they 
match one of the fingerprints is used to decrypt the encrypted challenged. The now 
decrypted challenge and the source fingerprint data are then sent back to the auto.nob.le 
where the decrypted challenge is confirmed and the source and stored fingerprints are .again 
compared. If all tests arc passed, access to the automobile is permitted. 

While the present invention has been described in terms of a preferred embodime.u 
and certain variations thereof, the scope should not be limited to the specifics presented 
above For example, while the system of this invention has been described as including a 
central authentication system separated from a mobile switching center by a public switched 
telephone network, the invention may be implemented by providing the central 
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auihcmicaiion system within the mobile switching center. In Urn case, ii may be necessary. 
l0 provide a mechanism lor regularly updating the authentication system at each mobile 
switching center. Further, the invention may be advantageously employed .n systems Ural 
do not employ a secret kcv. Importantly, the invention may rely on biomctric information 
other than fingerprints. Examples of such alternative biomctric information include, but arc 
not limited to. a user's voice, personal information, photograph, hand shape, and retina. 

Many similar variations on the above-described preferred embodiment, may be 
employed. Therefore, the invention should .be broadly interpreted with reference to the 
following claims. 
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CLAIMS 

what is claimed is: 

1 A method for auihcmicaiing a call lo be made over a communication system. 

5 the method comprising: 

(a) determining thai the call has been iniiiaicd from a source; 

(b) determining whether source lingcrpi ini data provided from said source 
matches stored fingerprint data associated with said source; and 

(c) iT said source fingerprint data matches said stored fingerprint data, 
10 allowing said call lo be completed. 

2. The method of claim 1, wherein the communication system forms al least 
part of a wireless telephone network. 



15 
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3. The method of claim 2, wherein the call initiated from the source may be 
forwarded through any of a plurality of mobile switching centers. 

4 The method of claim 2, wherein said source is a mobile cellular telephone. 

5. The method of claim 4, wherein determining that a caJI is being initiated 
includes detecting transmission of at least one or a mobile identification number (M1N) and 
an electronic serial number (ESN) associated with the mobile cellular telephone. 

6. The method of claim 5 further comprising confirming that said at least one 
25 of the M1N and the ESN is valid. 

7 . The method of claim I further comprising: 

requesting that said source fingerprint data be provided from the source of 

said call. 

30 

8. The method of claim I, wherein said fingerprint data is provided in an intcr- 
minutiac distance- vector-derived format. 

9. The method of claim I, further comprising: 

35 encrypting a challenge with the stored fingerprint data to produce an 

encrypted challenge; and 

providing the encrypted challenge to the source for the purpose of 
decrypting by the source with the source fingerprint data. 
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10. The mcihcxl or claim 9. wherein the step of determining' whether the source 
and stored fingerprint data match comprises: 

receiving a decrypted challenge from said source, which decrypted 

s challcn-c lias been decrypted with the source fingerprint data; and 

comparing the challenge with the decrypted challenge from the source. 

II The method or claim I. further comprising: 

determining whether the source fingerprint data is identical to one or more 
,0 instances of sample fingerprint data previously received; and 

ir the source and any one of the instances of the sample fingerprint data arc 
identical, preventing the call from being completed. 

12. The method of claim 1, where the fingerprint data is provided in a 
15 timcstamp. 

,3. A method for accessing a vehicle wiih a wireless security system, the 

method comprising: ...... , 

(a) determining that a request for access to the veh.de has been nuualcd 

->0 from a wireless source; 

(b) determining whether source fingerprint data provided at sa.d wireless 

source matches stored fingerprint data provided for the vehicle; and 

(c) if said source fingerprint data matches said stored fingerprint data. 



25 



allowing access to the vehicle. 

14 The method of claim 13, further comprising prompting a user of said 
wireless source for a fingerprint from which to generate the source fingerprint data. 

15. The method of claim 13, wherein the stored fingerprint data is stored in the 

30 vehicle. 

16. The method of claim 1 3, wherein the vehicle is a car and allowing access to 
the car comprises unlocking the car. 

35 i 7> A mc ihod for authenticating a call to be made over a communication system. 

the method comprising: 

(a) transmitting a dialed number to a switching center on said 

communication network; 
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(b) receiving a user's fingerprint: 

(c) ucncrauug source fingerprint data from said user's fingerprint; and 

(d) H the source fingerprint data matches stored fingerprint data associated 
with user, completing the call. 

IS. The method of claim 17, wherein the communication system forms at least a 
part of a wireless telephone network. 

19. The method of claim IS, wherein (a) through (d) arc performed by a mobile 
10 cellular telephone. 

20. The method of claim 17, further comprising: 

transmitting at least one of a MIN and an ESN Lo said switching center. 
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2 I The method of claim 17. further comprising: 
prompting the user to provide a fingerprint. 



The method of claim 17. wherein generating source fingerprint data 
prov.des the source f.ngerprinl data in a format comprising intcr-minutiac distance- vector- 
20 derived information. 

23 The method of claim 17. further comprising: 

determining 'whether ihc source fingerprint data matches the stored 
fingerprint data prior to completing the call. 

" 5 24 Thc method ol claim 23. wherein the stored fingerprint data is provided 

from a database on a public switched telephone network. 

25. Thc method of claim 1 7, further comprising: 
receiving an encrypted challenge from thc switching center; 
decrypting the encrypted challenge with thc source fingerprint data to 

produce a decrypted challenge; and 

transmitting said decrypted challenge to the switching center, such that tf thc 
decrypted challenge is found to match an unencrypted challenge, specifying that the source 
35 fingerprint data matches the stored fingerprint data. 

26. Thc method of claim 17, wherein generating source fingerprint data 
provides the source fingerprint data in a formal comprising a timcstamp. 
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07 A wireless communication device capable of tendering wireless 
communications secure by requiring b.ometric information from a user, the dev.ee 
comprising: 

5 (a) a wireless communications interface Tor sending and receiving wireless 

communications; 

(b) a device lor capturing the user's fingerprint: and 

(c) a processing device capable of converting the user's fingerprint 10 
source fingerprint data which can be transmitted. 
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28. The device of claim 27. wherein the device is a wireless telephone. 
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29 • The device or claim 28. wherein the wireless telephone includes a casing 
and provided within said casing, arc ihc dev.ee lor capturing the user's fingerprint and the 
15 processing device. 

30. The device of claim 27. wherein the wireless communications interface is 
capable of sending the source fingerprint data to a remote location. 

31 The device of claim 30. wherein the wireless communications interface is 
capable of sending and receiving fingerprint data over a data channel which operates at a 
different frequency from a communications channel which sends and receives the wireless 

communications. 

:5 32. The device of claim 27. wherein the device lor capturing the user's 

fingerprint includes: 

a fingerprint capture surface on which the user can place his or her finger to 

produce an optical image of the user's fingerprint; 

an imager capable of generating an electronic image or the user's fingerprint: 

30 and . r . ■ . 

optics for directing the optical image of the user's fingcrpr.nl from the linger 

print capture surface to the imager. 

33. The device of claim 32. wherein the imager is selected from the group 
35 consisting or CCD arrays and CMOS photodiodc/photogatc arrays. 

34 The device of claim 33, wherein the imager is a CMOS 
photodiodc/photogatc array which is provided on an integrated circuit together with the 

processing device. 
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35. The device of claim 27, wherein Ihc device for capturing the user's 
fingerprint is a capacitor array formed on a semiconductor substrate or an ultrasonic 
mechanism formed on a semiconductor substrate. 

36. The device of claim 27. wherein the processing device is a CPU. 

37. The device of claim 27, wherein the processing device is capable of 
comparing the source fingerprint data with stored fingerprint data received from a remote 
location, whereby when the source and stored fingerprint data arc found to match, the 
device allows a communication to proceed. 

38. The device of claim 37, wherein the processing device is capable of 
decrypting a challenge received from said remote location. 



39. A central authentication system connected to a communications network and 
capable of rendering wireless communications secure by processing biomciric information 

from a user, the device comprising: 

(a) ;i communications interface for sending and receiving data 
20 communications over said communications network; 

(b) a database interface for accessing a database containing stored 
fingerprint data associated with users of wireless communications devices; and 

(c) a processor capable of determining whether a wireless communication 
from a wireless communications device should be permitted based upon a match between a 

25 fingerprint taken from said wireless communications device and stored fingerprint data 
associated the wireless communications device. 

40. The central authentication system of claim 39, wherein the communications 
interface is coupled to a public switched telephone network. 

30 

41. The centra! authentication system of claim 40, wherein the data 
communications arc directed to one or more mobile switching centers. 

42. The central- authentication system of claim 39, wherein the database 
35 includes, for at least one of said wireless communications devices, a plurality of received 

tokens containing information from fingerprints taken at said wireless communications 
device. 
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43. The central authentication system of claim 42, wherein the processor is 
capable of comparing a newly received lokcn from a given wireless communication device 
with said plurality or tokens lor said given wireless communications device. 

44. The central authentication system or claim 39. wherein the processor is 
capable or generating an encrypted challenge by encrypting a challenge with a token 
containing said stored fingerprint data. 

45. The central authentication system of claim 39, further comprising a memory 
which persistently stores a program allowing the processor to determine whether wireless 
communications from the wireless communications devices should be permitted. 



46. The central authentication system of claim 45. wherein the memory can 
store a challenge and a decrypted challenge so that the processor can determine whether me 
15 challenge and the decrypted challenge match. 
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Additional authcniicalion required - depends on 
customer's prc-stalcd choice 
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Send MIN to Central Authcniicalion System 
(CAS 106) (rom MSC 103 via PSTN 105 



i 
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Identify the token that is associated with the MIN 
in Ihc MIN-Chailcngc Key Database (MCKD 

107) at CAS 106 
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The CAS 10G generates a challenge and 
encrypts it with the token CK 202. The prc- 
ciicryplcd challenge is stored locally at CAG 10G 
for later use. 



CAS 106* sends Ihc encrypted challenge and 
lokcn'to the MSC 103 by PSTN 105. This is 
then forwarded lo the wireless phone 102 via air 
interface. 
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FCPD 101 requires the wireless phone user lo 
input fingerprint locally, so that a token can be 
generated from it. 
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FCPD 101 compares Ihc locally generated 
token wilti the token (CK 202) received from 
CAS 106 for match. 
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Wireless phone 102 users Ihc lokcn Irom CAS 
106. (i.e. CK 202). lo decrypt the challenge 
received Irom CAS 10G. 



The wireless telephone 102 sends the decrypted 
challenge and the locally generated lokcn back 
to Ihc CAS 10G via the MSC 103. 



312- 



Tltc CAS 10G compares Ihc decrypted 
challenge received Irom the wireless telephone 
102 with its prc-cncryplcd challenge thai had 
been slorcU temporarily (at step 306). 
Is there a maich7 



3lS 



no _ |5LocU^ 




313 



The CAS 10G compares the two tokens for 
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(57) Abstract 

, fi „„. mr : n , m authenticate a wireless communication. The user s personal 
Disclosed are a system and a method employing a user s ^^^^^^^fy,. The system includes a fingerprint 
fingerprint is employed as the secret key in the context C f^^ZJ)^c^\ authentication system coupled 
capture module on a mobile personal wireless commun.cat.or , dev ce (*. ^J™^™f™ im lnat associates each mobile identification 
to a conventional mobile switching center. The central „ te initia ted. the central authentication system 

number ("M1N") with a particular user's TSS^SS^^S^J^ «*» ^ stwed fin ^ rin ' associated 

engages in a ^lengeMesponse aumenncat.on^^ ^ wU , on , te gencrated when the uscr . $ 

with the MIN through the common a,r interface. ^^"'J^f^obnc station matches the information sent from the central 
fingerprint entered through the fingerprint capture module attached to the rnooiie su 
authentication system, and only calls placed from authorized users are connected. 
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n.ifk prouiv l " r the Invention 
The present invention vetoes .0 security measures for wireless telephones or cellular 
mobi ,e phones. More particularly, the invenuon relates ,o auutcnticanon methods 
Iployrng IMC ntformat.on (e.g.. fingerprints, to guaran.ee „on-fraudu,en t use of 

wireless telephones or cellular mobile phones. 
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As known in the state of Che art. wireless telephones or eellular mobile phones are 
identified bv mobile .denotation numbers (M1N.) and electronic serial numbers (ESNs)^ 
Current pro.oco,s for wireless communicauon. cuher pbcing or rccciv.ng a « ,11. reqw 
both die MIN and the ESN to be broadcast through a standard common a,r .ntcrfacc tCAl 
between the wireless telephone and a mob* swttching center (MSG, for cotton an 
billing purposes. However, such information can be easily intercepted and obta.ned ,a 
^ *Ld scanning cowmen, that is readily available. M.Ns and ESNs captured this 
Ly can be illegally programmed into other cellular phones for the purpose of plaetng cdb 
that will be billed ,0 the person tha, the MDN and ESN has been legmmately asstgned to, 
«s vpe of theft has become a common practice world-wide, and millions of dollars are 
Z I wireless service providers and law enforcement agenc.es (US So 5 0 millton ,n 

1995). 

Various methods have been proposed to solve this problem. One method 
(described in U.S. Pat. No. 5.448.760) proposes the idea of requesting a persona 
«n number (PIN) each t.me a cal, is placed. The PIN can be safely transmute 
h ough a different channel. However, this inconveniences the user and many users even 
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teC c, their P.N.s. Another method (described in U.S. Pa, No. 5,420,908) proposes 
monitortng each customers habi, or calling pattern (also know,, as user profiles) and 
Mocking any calls tha, do nor fit .he outer's prcv.ous calling patter. However^ u h 
method suffers fro,,, two problems: (0 the calling pattern of a owner « dtfficu, to 
5 accurately pin point (any tune the ea,,in 8 pauem changes a legilimatcca mtgh. b. WoctaO 
and (2) it 'vi„ not successfully block calls from phone* that eonunually change the M.N- 
ESN pair lhal they employ. 

i w i ur> r \ in US p.t No 5 420,908 issued lo Hodges and 
In another method (described in U.b. i ai. no. , 

Rubcnstcm and ntcorporated herein by reference), a -challenge response" 
10 scheme ,s proposed to so.ve fraudulent use in wtreless commumcauon. The ptoposed 
'° i cllcs a centra, authenncatton system serving several MSCs which store 

M.Ns w,,h assoeia,ed sec, keys ,ha, are used to generate the "chaUcngc rcspons 
Tu lieatton. Havntg one centra, authenttcatton system for several MSCs e mtnates the 
need for cross-svstcm access between different MSCs. However, for seeunty rcasons-- 
IS c ■ power failure, computer hacke, auacks. tututa! d i saster, , . hrr should nr. at leas, one 
. ado, ona, remote s,,e that ma.ntatns a mirror copy of the central authenu ea,,o„ sysKn, 

fdcallv backup eo,nmu„ica,ion bowcen ccmrul au,hen,ica,ion system and 
Hv bo,h ho and co,d backups to dynamically ma,n,ain identica, eoptes at ah ttmes. M 
MSCs communicate with the centra, authcnucatton platform through a standard phone Une. 
,0 T^t cd od also requires each wireless phone to have a device which eon.ams speca, 
to gcncrl a correct response to a specific "challenge". Each time that a use 
. cellar phone, the MIN and ESN are sen, to the MSC just as ,n the standard 
: I Id wireless communicadon ,oday. Then ,he MSC sends ,hc ,nf_ 

zz » — h** ™ uchcd ,cicph ° ,,c ,,c,wo,k (pstn) . h r 

:5 lenticatron platform, centra, system then takes the secret key w^c , ,s — 
w„h the MIN and generates a challenge which is sent to ,he ^..^^ 
different wireless forward channel. The cellular phone ,hen uses us speca, .ntenul module 
o Zate a response to the challenge which is then sen, back to the MSC by w.relcss 
and then forwarded to the central system via standard PSTN lines. The ccmn,, 
» I^lnUparcs ,he cellular phone, response ,o the pre-ea,eu,a,ed response value ,. 
expects. If the response is correct the use ,s authorized. 

Such a system has certain advantages and should improve seeunty in wireless 
communication. Although no specific type of seere, key was disclosed in the -908 patent. 
Tslified secret keys - ,nc,uding a s,ri„g of sf*cia, integer , suffer major drawbacks. 
,5 RrlTomputer system are a,ways subjec, to intrudcrs/hackcrs. For example jus, recently 
met was L mu h celebrated case of Tsu.omu Shimomura ,he network «■»<» «P« ^ 
hi atl ckcr Kevin Mi.ntck the outlaw computer hacker (!n TakeOown by John Markoff and 
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T Sh.momun, Hyperion Press: USA .995). In ihc case of a break-in or even a suspicion 
of a break-,,, all stored secret keys are rendered useless and all the keys need to be 
updated. This necessarily means that all the users have to visit their service provider in 
person and update their secret key. Second, if only one or a few keys arc stolen at any 
Len time, the system would not be able to detect the theft until the end of each b.lhng 
cvcle (if even then). Third, the "challenge" is MIN-spccific. the thieves who capture the 
MIN and ESN through the air interface can also capture the "challenge" and its response 
and attempt to crack the secret key. While some encryption methods like RSA can be made 
vcrv secure now. the powerful computers that can be expected to become w.dcly available 
in mc future may allow secret keys to be cracked with the knowledge of mult.p.c challenges 
and then- responses, Still further, with the global computer connectivity. Internet v, ruses 
nave become a major issue and almost every week there is a new virus that ,s released 
part.cu.arlv from .ess developed countries. If the central authentication system gets .n.cctcd 
and the files tampered with, as before, all users have to return to their scrv.ee provider to 
, have a new secret key reissued. All these four scenarios are quite likely to happen ,n our 
agc of high-tech Criminals and cvcn-h.ghcr tccn teenage p. 

What is needed therefore, is an improved security system to protect against 
unauthorized use of wire.ess commun.cat.ons. The method and associated system should 
provide improved security and be easy to maintain. 

20 

Summary " f Invention 

The current invention expands on the principles and protocols discussed above. 
The relevant extension involves using a token generated from biometr.c information the 
user's persona, fingcrpnnt in particular, as the secret key in the context of a modified 
25 "challenge-response" scenario. As will be expla.ned. this virtually eliminates all ot the 
drawbacks discussed above. Most generally, the invention involves the use of fingerprint 
matching to authent.cate a call or other communication over a wireless communication 
network. The matching may be employed- at a central location on the network, at the 
personal wireless device, or both. 

One aspect of the invention provides methods of authenticating calls to be made 
over a communication system. Typically, both a wireless source (e.g.. a mobile telephone) 
and a centra, authentication node that may service numerous nodes pari.c.patc in the 
methods - although each operates according to its own protocol. 
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An authentication method implemented on the eentral authentication node may be . 
characterized by the following sequence: (a) determining that the call has been initiated from 
a source- (b) determining whether source fingerprint data provided from the source matches 
stored fingerprint data associated with ihc source; and (c) if the source fingcrpr.nl data 
5 matches the stored fingerprint data, allowing the call to be completed. Matching may 
involve separate making steps at both the source and the centra, authenticate node. It 
may also involve decrypting a challenge. In addition to the above baste steps, the 
authentication node may request that the source fingerprint data be provided from the 
source of the call. In the case of a mobile telephone system, the call untmted from, the 
10 source mav be forwarded through any of a plurality of mobile switching centers to reach 
lhc ccntraUuthcntication node. That is. the central authentication node may- serve mu.t.ple 
switchino centers, in a preferred embodiment, the central authenticate node accesses the 
stored fingerprint data from a database that associates particular users' accounts with their 
fingerprints. The fingerprint data (from the source or stored database) may be embedded m 
, ^ H-vin, format making .t difficult to extract the fingerprint data. In one 
embodiment, that token format may be an intcr-minutiae distance-vector-denved format 
such as one of the formats commonly employed in the art. 

1„ one specific embodiment, the method also involves (a) encrypting a challenge 
with the stored fingerprint data to produce an encrypted challenge; and (b) providing the 

.0 encrypted challenge to the source for the purpose of decrypting by the source wuh the 
source fingerprint data. The step of determining whether the source and stored fingerprint 
data match preferably involves (i) receiving a decrypt challenge from the source, which 
decrypted challenge had been decrypted with the source fingerprint data: and (it) comparing 
the challenge with the decrypted challenge from the source. If the two match, then n ,s 

25 assumed that the stored and source fingerprints also match and the call ,s allowed to 
proceed. 

in a particularly preferred embodiment, ihc method involves a further, security 
feature to avoid use of a stolen fingerprint token. This technique operates on the 
assumption that each time an individual gives a fingerprint, the print is slightly different due 

30 to the flexibility of the finger skin, the angle at which the finger is pressed down etc, 
Thus, it is exceedingly rare that any two finger impnnts from a given user w,H be tdenu I. 
Recognizing this, the method may require the following: (a) dctcrmtnmg whether the 
source fingerprint data is identical to one or more instances of sample fingcrpnnt dau 
previously received; and (b, if the source and any one of the instances of the sample 

35 fingerprint data are identical, preventing the call from being completed. 
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Authentication methods implemented on a source such as a wireless telephone (as. 
opposed to the central authentication center as described above) may be characterized . as 
including the following steps: (a) transmitting a dialed number to a switching center on the 
communication network; (b) receiving a user's fingerprint (possibly after a prompt); (c) 

5 generating source fingerprint data from the user's fingerprint; and (d) if the source 
fingerprint data matches stored fingerprint data associated with user, completing the call. 
•The source may itself determine whether the source fingerprint data matches the stored 
fingerprint data prior to completing the call. In the case of a wireless telephone, the method 
may also include traditional calling steps such as transmitting at least one of an MIN and an 

10 ESN to the switching center. 

In conjunction with the encryption technique described above for the central 
authentication node, the source may perform the following steps: (i) receiving an encrypted 
challenge from the switching center: (ii) decrypting the encrypted challenge with the source 
fingerprint data to produce a decrypted challenge; and (iii) transmitting the decrypted 

~ 5 challenge to the switching center, such that .1 the decrypted challenge is round lu match an 

unencrypted challenge, specifying that the source fingerprint data matches the stored 
fingerprint data (allowing the call to proceed). 

A personal wireless communication device (e.g., a wireless telephone) suitable for 
use with the authentication methods of this invention may be characterized as including the 

20 following features: (a) a wireless communications interface for sending and receiving 
wireless communications; (b) a device for capturing the user's fingerprint; and (c) a 
processing device (e.g., a CPU) capable of converting the user's fingerprint to source 
fingerprint data which can be transmitted. Preferably, the wireless device includes a casing 
and provided within that casing arc both the device lor capturing the user's fingerprint and 

25 the processing device. 

The wireless communications interface should be capable of sending the source 
fingerprint data to a remote location. Preferably, it should be capable of sending and 
receiving fingerprint data over a data channel which operates at a different frequency from a 
communications channel which sends and receives the wireless communications. 

In one embodiment, the device for capturing the user's fingerprint includes: (i) a 
fingerprint capture surface on which the user can place his or her finger to produce an 
optical image of his or her fingerprint; (ii) an imager capable of generating an electronic 
image of the user's fingerprint (e.g., a CCD array or CMOS photodiodc/photogatc array) ; 
and (iii) optics for directing the optical image of the user's fingerprint from the finger print 
capture surface to the imager. In a preferred embodiment, the imager is a CMOS 
photodiodc/photogatc array which is provided on an integrated circuit together with the 
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.processing Ucv.cc. In an alternative embodiment, the deviee for capturing the users 
fingerprint include an imager which docs not require opt,cs : Examp.es of such opucs- 
fr ce" lagers include capacitor arrays or ultrasonic mechanisms formed on semiconductor 

substralcs. 

The processus device should contain ihc logic and resources necessary for 
comparing .he source fingcrpr.n, da,a with s.ored rmgerprin, da,a received iron, a remoie 
iocauon. Preferably. ,hc processing device should also be capable o, decrypung a 
challenge received from me rcmolc localion. 

A, .wed .he biomciric -challenge-response" au.hen.ica.ion scheme of .his 
,„ invention prcfcrab.y employs accural au,hcn.,ca,ion pla.form serving several or all MSCs 
and wireless phones. In .his manner, .he currcn, mvcm.on seeks .0 proven, fraudulent 
placed wireless calls using slolcn M1N-ESN informalion. 

Anolh-r -rsr-- <«° Mcs a CC "' ra ' SySlC '" °' "° dC 

conneced ,o a communica.ions nc,wo,k and capable of rendering wireless commumcahons 
1S secure by processing biomc.r.c .nformat.on from a user. Such cc„,ra au.henucauon 
sysiems may be characterised as deluding (a) a commumcauons in.crface lor send.ng and 
.Living data communicauons over <hc communications network; (b) a da.ab,se .merlace 
for accc s,„g a darabase contain.ng s.ored nngcrprm, data associated with use,, of w.re es, 
communions device* and (c, a processor capable of dc,erm,„,ng whether a w.d ss 
co m m„,„ca,,on from „ w.reless commu„ica,ions device shouid be permuted base upon a 
ma.ch between a r.ngerprin, taken from .he w.reless communicahons dcv.ee and s.ored 
fingcrprin, dala associa,ed .he wireless communications dev.ee. 

Of.cn ,he communications in.crface will be coupled .o a public switched telephone 
network such tha, the da,a communicahons a,e d.reced .o one or more mobile swuch.ng 
■5 corners on .he nawork. The database - which may form par, of U,c central authenhcauon 
* system - preferably includes, for at leas, some of the wireless commumcauons dcv.ccs, a 
pluralUy of received tokens comaining information from fingcrpr.nts taken a, the w.reless 
commumctions devices. The sys,em ,l,en compares newly received .okens from a g.ven 
wireless communication device with U,e pluralUy of ,oke„s for ,ha. wnc.ess 
30 communications device. 

Thee and other features and advantages of the present invention will be further 
described below with reference to the associated drawings. 
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u.;.>r Doscrin liTTP " f nrawiims 

Figure . is a block diagram of various components of ihcr present invention as it may be 
employed in a cellular phone system. 

F,™ 2 U a repression of a M.N-cha„cnge kc, database *. used ,o ««e .okens 
s ,v„ m b^euic infon„a.,on ,„ accordance wi.h one preferred c— of ,h,s ,nvcn,,o,, 

Figures 3A and 3B .ogc.hcr presen, a process How diagram dcp,c.,ng a sequence of 
cvc n .s in ad,aUc„ g c,c S po„sc au.hcn.ica.ion me.hod of .he presen. inven.ion. 

F.gure 4 is a block diagram depicting bas.c componcn, of a fingcrprin. capmrmg uni. 
and an Seated w.rclcss .depnonc ,n accordance w,,h a preferred er.bod.mcnc of ...present 
10 invention. 

P igurc 5 is a flow diagram depicting a fingerprint matching tcchn.que. that may be 
employed with the present invention. 

FiT- 6 is a block diagram of a central authenucation sys.cm for processing biomcric 
,„ ro , J£ a .nobUc telephone in accordance wi.h one — -sc, 

15 invention. 

. • 4 r.r fhf> Prnfnrrpf l Kmbodimcnts 
nolnilcd nrsrripll »" n ' l " c 

Tl.ep.cscn. .nvention ,s described herein in .crms of a w.rclcss .clcphone sys,cm. 
The .nvenuon is no. so limned. For al, purposes of .his currcn, .nvenuon. 1 c term 

,0 ^ "phone ' (or "wireless co.nrnunica.ion sys.em") gcncrically wil, be undc.-s.oo 
. ^de ceLar phones, pcr.sona, _ic,io„ sys.cms, telephones, pesona ,g, a 
L^ants wireless personal compu.crs. wireless no.cbooks. e.c. us.ng analogue o. d,g,al 
Z Z I ,ehno,o P g, While U,e presen. invennon ,s eurren.ly envisioned as prov* 
subs.an.ial benefit .o wireless communications, .here is in pr.nc.ple no reason why .. could 

. ntrlhcd .o commun.ea.ions generally. An, eommun.ca.io, .ha, could barf, rom 
a Lento on may be implement wi.h „,e presen, inven.ion. Sueh communions 
:"ose made over a wire-based .clephone sys.em and cmploy.ng Account code. 

The comrnunica.ion S allowed over .he communicauon sysrem will some.in.es be 
.. „... F. x amoles of communications (calls) wifnin .he conlcx. ol .h.s 
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packcuzcd messages over a network (LAN, WAN. Internet, etc.) and digital vo.ee data 
•over a wireless radium. Commun.cations involving packet** transn.ss.ons may be 

conncction-based transmissions such as TCP or connectionless transm.ss.ons such as 

UDP. 

Rngerprint technology including hardware .mage capture, software image 
processmg slvarc/hardwarc for fingcrpnnt data storage and software .or hngcrpnn 

4 V 5 467 40 each of which i. inched hen*, by reference for a,l purposes), U is 
L„. k „ow„ thai no ,»o indtviduuls possess the same tden.tca, fingerprint and that accurate 
marching technics in conjunction wnh wC-capiurcd images can post.ive y tdcnu.y a, 
mdWidtl. The tern, ••nngcrpnn," as used herein refers to handprints, palntpnnts. and 
orhcr unique skin pa.lerns in addiiion lo traditional fingerprints. 

The preset invention may employ sophisticated hardware and software ,o allow 
ra„,d fin-crprint based identification as described in U.S. Prov.sio.ial Application No. 

9 = 49 Hied on Scp.cnhcr I I , 19,6. namtng >, Rao. S. Subb.ah. Y. Li A D. Chu as 
Z^*s -nd prcviouslv incorporated by reference. That application describes an 
~y snrall low-cos, fingerprint capture hardware module .bar lends ,tsc,f to ready 
cu y s, • , , cVlccH The referenced Provisional Application was incorporated 
, r.^n purposes and ,s rllusrrahve of the maturtty of the fingcrprtn, 
capture and comparison technology. 

HO I shows an apparatus that may be used to process a wireless call in 
accordance with the principles of the current invention. A fingerprint 
rFC PD") 101 (such as that described in U.S. Provisional Apphcatton No. 60/025,949 
, previously incorporated by reference, with an on-board CPU for proccsstng and 
5 previously i connected to the wireless 

comparison of the captured fingerprnu tmage (sec FIG. 4) ,s connected 
telephone 102. This connection may be by any method, i.e. v,a a te.ephonc modem o a 
a pott speeincally butlt-tn io the wireless telephone ,02. an acoustic coupler, or *c 
direct rncorporatton of the fingerprint module 10! into the w.relcss te ephon ip* 
M Pliably I module 101 can be incorporated within telephone ,02 such that a standard 
mo e llephonc casing may house a„ electronics for operation of the telephone and 
Zlr.™ proecsstng. ,n an especially preferred crnbod.mcn, ^C^J* 
'Ilm- both tho ftngerprints and the telephone calls are provided on a s,ng c micgraud 
"p Tltis n^s ,. especially d if r,cult to tamper with die system by or example. 
3 5 intercepting signa,s between fingerprint captunng module ,0, and telephone 102. 
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In one embodiment of the invention which employs a protocol similar to that of. 
conventional w,rc.css systems, each phone is provided with a MIN and ESN When the 
user dials a telephone number using a keypad 1 12 on the wireless telephone .02. the MIN. 
ESN and the number of the party being called is transmitted to a Mobile Switching Center 
(MSG) 103 of a wireless carrier .04. In response. MSG .03 performs the standard 
verification of the MIN and ESN as well-known in the art (see .or example. .,, Wireless 
Communications, by T. S. Rappaport. .996. Prent.ce- Hal. which is incorporated been by 
reference for all purposes). If the MIN and ESN belong to a special group o. users who 
have previously requested the additional layer of fingerprint based security with the,, 
service, the MIN and ESN are sent to a Centra. Authentication System (CAS) 106 via a 
public switched telephone network (PSTN) or Internet 105 to avoid direct access o. CAS 
.06 through the air interface. This provides additional security for the CAS. 

In response to the MIN being forwarded by MSG 103. CAS 106 looks up its built- 
in MIN-Challenge Kev Database (MCKD) 107 and retrieves an appropriate Challenge Key 
(CK W FIG ->) that is associated with that particular MIN. The CK 202 is a token that 
has been derived from the user's fingerprint when the user first registered the purchase o. 
his/her phone service. The CK 202 is then used to cncn.pt a '•challenge" that , generated 
by the CAS 106. The challenge that ,s formulated by the CAS .06 is different each urn 
In it ,s accessed by the same or different users. The CK 202 and the encrypted 
challenge are then jointly sent to wireless telephone 102 through any availab.c lorward 
voice channel (FVO or forward control channel (FCC) for example. 

After reception of the challenge from CAS 106 by wireless telephone 102. the 
challenge is forwarded to FCPD .01 as detailed in FIG. 4. The users fingerprint 
information could have been requested by FCPD .01 either before this point and alter the 
S user entered the number of the called party, or at this time point itself. A token, wh.ch ,n 
one embodiment could simply be an encoded collection of a set of unique minutiae/.eatures 
found in the fingerprint, is then generated based on the fingerprint information captured 
locally by FCPD .01 . As well-known in the an of fingerprint matching, a fingerprint Irom 
any individual ,s unique to that individual and therefore the variety of slightly different 
l0 tokens (tokens can differ by a feature or two without any loss in uniqueness) that can be 
lencratld can only come from that individual. This is then compared with fingcrpnnt- 
Led token CK 202 that was received from CAS .06. If there is a match oNhc tokens 
uk encrypted message ,s decrypted by using token CK 202 received from CAS .06. In 
other enLiments. either or both tokens ceu.d be used to decrypt the challenge. A 
35 response (the decrypted challenge) is then sent back to MSG .03 through any ol tin, 
Z I evcrse voL channels (RVGs) or reverse control channels (RCCs). Th,s , then 
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forwarded via PSTN or Internet 105 (for additional security one may limit use of the _ 
common air interface as much as possible) back to CAS 106. 

The response from FCPD 101 to CAS 106 contains both the decrypted message 
and a lokcn that is generated from the fingerprint image the user supplied. If (1) the 

5 received decrypted message matches the expected response (i.e.. die original unencrypted 
challenge thai had been temporarily stored in CAS 106, as detailed in FIG. 6) and (2) Ihc 
token received from ihc FCPD 101 matches the CK 202 in the MCKD 107. ihc call ,s 
authorized and connected. This double matching method will reduce false positives. It will 
also prevent any illegal attempt that relics only on a decryption of just the encoded 

10 challenge. 

It is important to note that tokens generated from the same finger vary every lime 
the fingerprint is captured. In a preferred embodiment, if the lokcn sent from FCPD 101 
(via wireless telephone 102) is identical to that in the database (CK 202) the call will not be 
authorized, since it is extremely unlikely that the exact same lokcn will be generated ,n 
15 subsequent image capture of the same ringer. Presumably, such exact token matching will 
only happen if the lokcn had been illegally captured and is being used for illegal access into 
the phone network. In this embodiment/the database may store up to a prc-spccified 
number of tokens sent by user from wireless telephone 102. If the most current token sent 
from the user is identical lo any lokcn from ihis list, the call is also blocked, since ih.s may 
indicate the interception of a particular token sent from user to CAS 106 and used illegally. 
This is a major advantage, of the current invention since the token CK 202 used for 
encryption (in other words the secret key that is central to all •challenge-response' 
authentication methods) can itself be broadcast over the common air interface or even made 
public Thus ihc secret aspect of system described in the above-referenced Hodges and 
Rubcnstcin palcnl may be avoided in one embodiment. To reilerate. by blocking exact 
matches between a newly generated lokcn and a stored lokcn (one embodiment- of this 
invention), the illegal capture of the token CK 202 does not enable third-parues to 
. fraudulently initiate calls. This is a clear and substantial advantage over the pr.or art, and 
derives from ihc fact that personal biomclric information is being used lo generate secret 
30 keys. 

A further advantage is 'ihc token's resistance to corruption due to wireless noise. In 
one embodiment, a loss of a few features of the minutiae set from ihc token will slill leave 
sufficient uncorruptcd features to allow unique matching against another token derived 
from ihc same, finger. One could therefore expect a "fuzzy" (non-deterministic) set or 
minutiae, that will give unique matching. Another advantage of the current invention, 
derives from the facl that the CK 202 tokens can be made public with no ill effects. Tims if 
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ihc database MCKD 107 is stolen or attacked by computer hackers and viruses, as long as a . 
backup cony of the database MCKD 107 exists at a remote and secure mirror-site, there,* 
no lasting negative consequence (so long as exact matches with pnor stored tokens require 
that a call be blocked). 

FIG - shows a typical structure for the MIN-Challenge Key Database 107 
("MCKD") in accordance with one embodiment of this invention. A CK 202 >s stored m 
association w.th each M1N 20 . . Additional instructions or restrictions on the use or each 
MIN ^0. can be stored in a special instruction section (SIS) 203. These may include, for 
example, blocks on long distance calls to certain localities, restrictions on calls over a 
certain dollar amount, etc. In addition. MCKD 107 includes a column 204 or storing 
recently received tokens from FCPD 101. Anytime that a received token exactly matches 
one of the tokens stored in column 204, the call may be blocked. 

The CK ->(>•> is a token thai is generated from the fingerprint that the user initially 
provided when registering with the phone company. This token contains information 
pertinent to the fingerprint minutiae information that has been embedded so as to ensure that 
if stolen .t would not lead to a loss of the original fingerprint itself. 

Since fingerprint images vary slightly from print to print, such tokens from the 
same finger at repeated times will be different. Also, depending upon the format o 
n^erprn t minutiae in the tokens, two separately generated tokens of the same pnnt ^ 
, ^fL the outside appear similar - only when fingerprint matching a. S ont ms . 
comparison are applied to both tokens generated from different impressions or the same 
fJL can both tokens be deemed to be from the same fingerprint. Thus s,m P e possession 
of : token from a given fingerprint will not enable anyone to generate other Aflcmnt » ens 
corresponding to a different fingerprint impression from the same finger. Thus - render, 
5 method very robust and tamper proof. 

Token matching first requires extraction of the fingerprint minutiae from the token. 
These are then compared by .Hatching their two-dimensional coordinates. If the 
coordinates match to within a defined tolerance, the tokens are deemed a match. As 
explained below, tokens may be provided with a t.mestamp as an extra security measure. 

As known in the state of the art. many fingerprint matching schemes involve the 
generation of inter-minutiae-based keys (i.e., distance vectors, etc.) that while being genera y 
mlr will vary between multiple impressions of the same finger. Various .nter-mmutia 
Zance-vector-derived formats are known in the art. Many of these (as well as variations on 
them) may be suitable for generating keys in accordance with this invention. Such keys may 
35 of course also serve as tokens such as CK 202 in this invention. Suitable matching schemes 
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are described in, for example. US Patent No. 4.747.147 issued lo Sparrow on May 24. 19.8b. 
US Patent No. 5.493.62. issued to Matsumura on February 20, .996. and informauon 
provided at the World Wide Web site www.Lueent.com/Press/0597/minul.GAF. Eaeh or 
Uksc documents is incorporated herein by reference for a., purposes. A typical description o. a 
5 processed fingerprint is a list of x, y and angle tabulation of each minutia. Minor mod.neat.on 
rth" linci values (e.g.. adding slight random displacements) will -ill .cfle* the same 
underlying fingerprint, allowing for variation during multiple impresses (e.g.. shght 
distort on and^Uing during the pressing of the finger). Thus, us.ng straightforward m,nu„ac 
L.ations as token, is susceptible to minor modification that cou.d resu.t .„ ,„ega. phone 
10 access. 

A different and frequently used description of fingerprint information is the inter- 
minutiae distance vector information. Such descriptions are inherently non-linear in nature and 
so when tabulations of these arc randomly or systematically modified (i.e. without explicit 
knowledge of the inherent non-linearity) in minor and linear ways, the new modified tabulation 
15 will not. in general, reflect the underlying original fingerprint, even when allowing lor 
variation between multiple impressions of the same fingerprint. 

Thus use of such inter-minutiae distanee-vector-derived keys (tokens) for matching 
purposes wii. foil wireless fraudsters who may somehow illegally capture the transmitted 
and encrypted fingerprint information and try to use the exact same keys to Iraudu.ent.y 
,0 activate phone calls. That is, in genera, legal phone use, one expects the transm.ucd 
' fingerprint keys to be somewhat different each time, and different in a way that makes 
sense with respect to the fingerprint. In illegal use. where the encrypted keys are captured, 
decrypted and re-transmitted, the repeated use of a set of exact same identical keys can be 
readily detected. Anv minor modification of the keys, without specific prior knowledge o 
25 non-linear relationships in order to be true has to be compatible with the true fingerprint and 
thus leading lo the detection of such fraudulent use. 

The advantages of using a central authentication platform and a "challengc- 
response" authentication method are described in U.S. Patent No. 5.420,908 described 
above However, the "challenge-response" authentication suggested in that patent differs 
,0 significantly from the current invention in at least two ways: First, the patent suggests a 
' shared secret key (S-key) between the w.re.ess phone and the centra, authent.eat.op system 
This necessarily requires a specialized memory chip that can store the S-key to be pan o. 
the wireless phone itself. Therefore, in the event that the wireless phone is lost or stolen, 
illenal ca..s can be made from the phone unless special instructions to block such newly 
35 iUe'ga. calls have been sent to the centra, authentication system. The current invention ,n 
contrast, relies on information that is stored at the user's fingertips itse.f, and therefore 
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, ,,„t rccmirc .he wireless phone unil itself .a More any score. kcy/,nfomuu.on.. 

H lad described in .he '90S pa.cn. docs no. .ransmi. S-kcy itself over .he 
S T " 1— -V Iw u— of the "secrcr kc, through^ air 
^ bccaulc ,hc present challenge-response authentication ^ ~ £ 
,he •■secret" key per sc. In a preferred embodiment, however, the key (CK 20.) kcp. 
c bv some acceptable ,eehn, q ue such as sending the challenge and response over 

«, u, —on ^ r ^ ***** 

of the keys themselves. 

Bv personal biomctnc information, like fingerprints, .he present invention 

may o™^ major drawbacks of .he generic ■•challenge-response" auih—n 
schemes as typified by the '90S patent melhod. 

nrs 3A and 3B present a flow chart of one .ypieal sequence of events in a 
-chaiicntrtpons ' Ithclicatton of this .nventio. The user begins the process a. a step 
Z 1 1 n -a telephone number using ,hc keypad U2 of .he wireless telephone 10* 
jOO by cJiaun = l d lninsrml tccl 10 MSC 

The MIN, ESN. and the phone number ol the pau> bcin e 

The _ in a convcnl ional system. MSC 103 ulhc. 

103 al a step 301. At a b.ancn pc. c „ cx , stcn 303 or blocks the call 

. r iUn N/i ini P^N nntr and cocs to a next step j^j. ui wiw 

— ^ nO0 .heMSCde.: m ,nes,.heuserof,he M nSre q ue^ 

M " S : CP ' 5 ' ' ' ; , Result is NO. the call is connected jus, as routinely done in. a 
' If ,hc result is YES, the MIN is sent ,0 the CAS ,0, a, 

a step 304. 

In a step 305. CAS 106 accesses MCKD 107 and requests token CK 202 that is 

Ina 105 Additional layers of security can be added ,0 .he encrypted challenge and CK 
"LrCd Tor cample, .he encrypted chalicngc can be sent ,o the mobile wtreless 
phone over a different wireless forward channel. 

in a s.ep 30S .he user gives his/her fingerprint to the FCPD 101 and this is used .o 
30 Inaslepjuo." b performed a. any poin. '<"=' ac P 301 

generate token. In certain vanat.ons. step 30S can be ^rfo y c 

a „d dre generated token J^^^^^ the us^ fingerprint. 

has been sent to phone 102 and a token nas b 
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fingerprint can be forwarded via MSC 103 through CAS 106 and specially stored for later- 
criminal investigation of fraudulent phone use (step 318), If they match, the token received 
from CAS 106 or in other embodiments both tokens (including the one generated at the 
phone) is used to decrypt the challenge sent from CAS 106 in a step 310 (begin FIG. 3B). 
The FCPD 101 then sends both the now-decrypted challenge and the locally generated 
token (from the user. fingerprint captured on FCPD .0.) back to CAS .06 by way of 
MSC 103 via a step 3 1 1. 

Generally the invention's direct mapping of individuals personally to the phone 
calls they make also allows the mapping of callers who attempt unsuccessful break-ins .nto 
lhc wireless phone system. Permanent records of the tokens generated from the 
fingerprints of callers attempting illegal entry can be kept, if desired, for further cnmmal 
investigation. More importantly, the mere idea of the potential of being caught when 
illegally using someone else's phone may greatly reduce phone fraud. 

After receiving the decrypted challenge from FCPD 101, CAS 106 compares it with 
the challenge stored in a CAS temporary memory 607 (FIG. 6) at a conditional branch 
point 312 If the match is not successful the result from step 312 is NO and the call is 
blocked at a step 3 1 5 and then step 3 1 8 may be permitted if so desired. If there is a match 
die result is YES and the process moves on to a conditional step 313. At this step, CAS 
,06 compares the token generated from the users fingerprint captured and sent by FCPD 
,01 to one or more stored in its database 107 at column 202. If these tokens do not match, 
the call is blocked, again at step 315 and step 318 is optionally performed. Th.s second 
matching of the tokens (note that they were initially compared at step 309) .s prov.ded for 
additional security and may be dispensed with if desired. 

Next at an optional decision step 320. CAS 106 compares the token received from 
FCPD 101 with one or more stored tokens which were previously received Irom FCPD 
101 and CK 202. These previously received tokens arc preferably those stored in column 
204 of database table 107. If it is found that the most recently received token exactly 
matches one of the tokens stored in columns 202 and 204 of database 107. the call .s 
blocked at step' 3 1 5 (and step 3 1 8 is optionally performed). As noted above, tokens are 
3 oenerally not identical if they capture a fingerprint with sufficient resolution because each 
fingerprint from a given individual will vary slightly (e.g.. the minutiae may be slightly 
offset from one another). To ensure auU.entication in the case where a given md.vdual 
actually does give two identical legitimate tokens, the system may only block the call ,f two 
or more successive tokens exactly match one or more of the stored tokens. 

« If the tokens match at step 313 but not identically (optional step 320). the call is 

authenticated for connection al a step 3 14. Thereafter, at a step 3 1 6, the process returns to 
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Uic rouiinc prcscni-dav calling protocol to complete the connection. If needed, allowance, 
for failed authentication due to severe token corruption from wireless noise etc., can be 
made by having the protocol automatically re-try the entire procedure at step 304. The 
entire process exits at a step 3 1 7 and ends the illustrated flow-diagram. 

In i further preferred embodiment, the format of the embedded fingerprint minutiae 
contains a timestamp specifying the time at which the user's fingerprint was taken. Ihc 
CAS would then denv access if the timestamp was not from an appropriate window ,n time 
(chosen to allow for a reasonable delay between transmission of the challenge and rcce.pt 
of the newly generated fingerprint token). If a person should intercept the user's 
fingerprint token, not only would he/she have to extract the fingerprint minutiae, but he/she 
would also have to properly update the timestamp in order defeat the system. In some 
■embodiments, the CAS only checks for timestamp. rather than examining the newly 
received io*cn for an exact match to some multiple previously received tokens. 
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FIG 4 is a diacram presenting one embodiment of the FCPD 101 and its 
nucrconncction with the wireless telephone .02 (FIG. 1). The illustrated FCPD .01 
contains a fingerprint imager 4.7 for converting a fingerprint from a finger 4 5 into an a 
finder print image, FCPD 101 also includes a CPU (centra, processing un.t) 401 that can 
supply all the computational needs of the "challenge-response" authentication process, and 
more importantly a., necessary processing of fingerprint images and their subsequent 
comparison. An interface port 402 and a data bus line 403 are together capable o hand mg 
all the communications between various parts of FCPD .01 and wireless telephone 10.. 
This includes ail tvpes of serial interfaces and voice channels for transmitting and receiving 
data A memory module 404 stores at least those items necessary to the operation ol FCPD 
101 including: 1) a software program 405 which contains program codes lor fingerprint 
image processing, matching, decryption of the challenge, and the generation ol responses; 
and 2) a response storage unit 406 which temporarily stores the response before sending it 
to the CAS 106. 

CPU 401 can be any suitable integrated circuit or electronic design including 
multichip modules and circuitry formed on printed circuit boards. If it is an integrated 
circuit it may a general purpose microprocessor, a logic device such as an application 
specific integrated circu.t (ASIC), etc. Examples of suitable ASICs include gate arrays, 
'simple and complex programmable logic devices (PLDs). digital signal processors (DSPs), 
and field programmable gale arrays (FPGAs). 

In one embodiment, fingerprint imager 417 includes a fingerprint capture surface 
such as a window or capacitor array which produces an image of the user's fingerprint 
when the user places his or her finger thereon. In addition, imager 417 includes the optics 
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necessary direct an optical image of ihc fingerprint onto a solid stale imager which also _ 
forms pari of fingerprint imager. The solid stale imager, which is preferably a CCD array 
or a CMOS phoiodiode/phologatc array, generates an electronic image of the user's 
fingerprint. If the solid stale imager is a CMOS photodiodc/phoiogalc array, it may be 
provided on single integrated circuit logcihcr wiih processing logic such as CPU 401. 
Further details of suitable optical fingerprint imagers arc provided in U.S. Provisional 
Application No 60/025,949, "Embcddablc Module for Fingerprint Capture and Matching." 
filed, on September II. 1996, and naming R. Rao, S. Subbiah. Y. Li & D. Chu as 
inventors In an alternative embodiment, imager 4 17 may be a capacitor array formed on a 
, semiconductor .substrate such as that described in the May 22, 1997 edition of the San 
Francisco Chronicle, "New Chip Verifies Fingerprints" which pertains to a product of 
Vcridicom Corporation. In another alternative embodiment, imager 417 may be an 
ultrasonic mechanism formed on semiconductor substrates. 

H is important to note here an advantage over the "challenge-response" 
5 authentication method presented in U.S. Pat. No. 5.420;90S (referred to as the Secret- 
Key) in the present invention, "key" need not be persistently stored in the FCPD 101 
module. Therefore the wireless telephone cannot be used by any other user even when u is 
lost or stolen. 

In a preferred embodiment, telephone 102 is a conventional wireless telephone. It 
^0 communicates with FCPD 1 0 1 over a connection line 407 which may be a parallel or serial 
connection Telephone 102 may contain a key pad 41 I, all necessary telecommunication 
functions 4 1 3 (including a stored M1N and provisions for generating a dialed number from 
key pad inputs), data bus lines 412, and an interface port 410 for communicating with 
FCPD 101 (over connection line 407) and with wireless stations such as an MSC. It is 
-5 important to note that interface port 410 should be capable of interfacing not only voice 
communication signals (lor standard mobile phone operation), but other communication lor 
control between the CAS 106 and the FCPD 101 to complete the "challenge-response" 
authentication. In a preferred embodiment, interface port 410 is capable of sending and 
receiving fingerprint data over a data channel which operates at a different frequency from a 
30 communications channel which sends and receives die wireless communications (e.g.. 
voice data). 

Preferably, FCPD 101 is integrated directly within the casing of a conventional 
wireless telephone' or other communication source. The only distinction being the presence 
of a fingerprint capture window on the side of the telephone and accessing imager 417. In 
35 an especially preferred embodiment, a single integrated circuit provides most of the 
functions of FCPD 101 and telephone 102. These functions include, for example, CPU 
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401, memory 404. and telecom functions 413. As functions from both FCPD 101 and. 
telephone 102 arc provided oh the same chip, interface port 402 and connection line 407 arc 
not required. A modified version of interface port 410 having only the functionality 
necessary to communicate with other wireless stations (not FCPD 101) may be employed 
on the integrated circuit. This single chip embodiment has the advantage an extra layer of 
security as thieves will be unable to directly monitor signals crossing connection line 407. 

If fingerprint imager 417 is a CMOS imager, il may integrated with other 
components on the integrated circuit. If imager 417 is a CCD array, it typically will have to 
be provided on a separate chip. 

Suitable design parameters of FCPD 101 can be specified based upon the general 
requirements of fingerprint analysis and matching algorithms. A typical human fingerprint 
has an aspect ratio of about three to two; that is, it is one-half times as long as il is wide. 
The average fingerprint has about 50 ridgclincs separated by intervening valley lines that 
are about equally as thick. Generally the lines run from left to right and as they do they 
first traverse upwards and later downwards. Given this amount of information, the Federal 
Bureau of Investigation has suggested that fingerprint detection systems should provide an 
array of 512x512 pixels since it allows for at least four pixels per ridgclinc and four per. 
valley line. Preferably, though not necessarily, the imager employed in the FCPD 101 
contains an array of at least 512x512 pixels. Using sophisticated fingerprint imaging 
algorithms such as those described in the above-referenced US Provisional Application 
60//025.949, significantly smaller arrays can be employed. In one embodiment, the array 
may include 240x 1 60 pixels or. in anther embodiment. 120x160 pixels. The use of such 
small arrays has the advantage of requiring (I) less processing resources from CPU 401 
and (2) less space from memory 404 during processing of a large array of fingerprint data. 

Accurate fingerprint matching technology, which is well-known in the art (sec, for 
example. U.S. Pat. No. 2 952 181.4 151 512, 4-322 163,. 4 537 484. 4 747 147. 5 467 
403 which were previously incorporated by reference), has for over a hundred years relied 
on the extraction and subsequent comparison of specialized features called minutiae. 
Minutiae arc essentially of two equally frequent types - cither the abrupt ending of a line m 
3 the middle of the fingerprint or the fusion of two lines to create a Y-shaped junction. 
Typically there arc about 60 or 70 such features in a fingerprint and it is the relative location 
of these' from each other that creates a unique spatial pattern that statistically no other human 
can possess. 

Suitable methods of fingerprint matching may involve software processing steps as 
illustrated in FIG. 5. After capturing the fingerprint image (step 501), a contrasting 
algorithm (step 503) reduces all the gray shades of a captured image 502 to either black (for 
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ridgclincs) or while (for valley lines) as shown in image 504. Traditionally these - 
algorithms arc omni-dircciional. Basically, the particular shade of gray at each pixel is 
compared with those of the neighboring pixels in all directions and if judged to be relatively 
darker than most of its neighbors it is deemed to be black, otherwise white. After this 
5 contrasting step, the contrasted image 504 is further processed by a thinning algorithm 
(step 505). The object here is to reduce the black lines from being on average four pixels 
thick to only one pixel thick, thereby increasing the number of while pixels substantially. 
A thinned image 506 is then examined by further algorithms (step 507) that attempt to 
deduce and accurately extract the minutiae and their locations as shown in a map 50S. The 
10 process is then completed at 509. All further fingerprint matching/comparison often relies 
primarily on these 60 or 70 extracted pieces of information. 

Central authentication system (CAS) 106 is preferably, though not necessarily, 
provided as a server or other node connected to one or more MSCs over a public switched 
telephone network. CAS 106 may also have wireless connection to an MSC or may even 
15 form a part of the MSC. Generally, CAS 106 must be able to generate and compare 
challenges, access a database of fingerprint based tokens, and communicate with a plurality 
of wireless sources (e.g., mobile cellular telephones) via the one or more MSCs. 

FIG. 6 is a diagram of CAS 106 in accordance with one embodiment of this 
invention. The design is superficially similar to the FCPD 101 (and the design presented in 
20 U.S. Pat. No. 5,420,908). Connected to CAS 106 are PSTN 105 and MCKD 107. CAS 
106 must be able to handle, simultaneously, many calls from many wireless carriers. It 
includes a memory 605 including a persistently stored program 606 and various 
temporarily stored items including a challenge 607, a response token 60S. and a decrypted 
message 609. Program 606 contains the instructions Tor generating a challenge, encrypting 

25 the challenge with a fingerprint based token, validating a decrypted challenge (e.g., by 
comparison with the generated challenge), fingerprint matching based on tokens, and. in 
some embodiments, comparing a response token with one or more stored tokens and 
further assuring that tokens are not identical as that would imply illegal use. Response 
token 608 is a memory entity containing the token sent back from the FCPD 101 in the 

30 wireless telephone 102 before token matching is conducted. When a new token is provided 
from FCPD, stored token is updated. 

In addition, CAS 106 includes a CPU 602 for controlling the execution of a 
program 606, accessing memory 605, communicating with the MSCs over the PSTN. 
Communication over the PSTN is provided through a data interface 601 in CAS 106 which 
35 is connected to the PSTN over a line 105. In addition, CAS 106 communicates with 
MCKD database 107 through a database interface 603 as shown. CPU 602, memory 605, 
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database interlace 603, and data interface 601 are communicate with one another over a data 
bus 604. 

In a preferred embodiment, the initial registration of the phone-owner's fingerprint 
at the CAS 106 to create the appropriate entry into the MCKD 107 need not require the user 
io visit the central phone service provider. When the phone-owner purchases or rents the 
wueless phone at any .oca, phone store he or she can use the FCPD .0. on the newly 
purchased wireless telephone 102 itself to activate registry at the CAS .06 via the common 
air interface and MSC 103. The phones ESN and M1N can be sent along with the owner s 
fingerprint and placed in the CAS database for future use. 

In yet another embodiment of the present invention, multiple users can be permitted 
to use the same wireless phone. All that is required is that the MCKD .07 at the CAS 106 
be allowed to contain multiple CKs 202, one generated from each user of the same phone. 
Such authorization can in principle be act,vatcd/,nit,a»cd by the phone owner serving as a 
master user who can at any time reeruit additional users to be able to use their phone. By 
activating appropriate buttons on the phone, the master user can ,n principle activate the 
phone and the CAS .06 to receive a newly recruited users fingerprint for assoc.at.on w,th 
the master users entry in .ho MCKD .07. The master user can remotely authorize th,s 
action by simply validating it with his/her fingerprint. Again by engaging a pre-defined 
sequence of buttons on the phone the master user could also in principle remove previously 
authorized co-uscrs. 

In a further embodime.il of the present invention, the phone owner could use more 
Uian one fingerprint as a means to authenticate his/her identity. The MCKD .07 can be 
arranged to contain information regarding more than one fingerprint of the owner. In tact, 
if additional password-like security beyond fingerprint security is desired, the owner can 
provide multiple fingerprints from different fingers in a particular secret order. Th.s can 
serve as a "password" known only to the owner. 

in one use of the current invention, the traditional MINs and ESNs associated with 
wireless phones are no longer required. The wireless telephone 102 will have an integrated 
FCPD 101 When a user dials a number, the number of the parly being called and the 
token generated from the fingerprint of the user on the FCPD .01 will be sent to the MSC 
,03 and then forwarded to the CAS 106 for authentication based only on the fingerprint 
token of the user for billing and authorization purposes. Because each fingerprint token 
operated from the same finger will be different, a token intercepted from the common a,r 
Interface can not easily be used for fraudulent use of wireless telephones. If a particular 
token generated from a fingerprint is captured illegally from the air interface and 
subsequently used repeatedly to authorize illegal calls, this can be detected very easily by 
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lh c CAS .06 since i. -ouM i. norma, crcumstanccs cxpcc, »*. different and varied 
tokens bcin C gcnc ^d from ,hc « fingcrpnnt. Because such variations in the generated 
ok lc imrLic to the way fingcrpnnt tnformatton is distributed on the finger tisclf, these 
vananons cannot be g.cancd from ,Ucga„y capturing one token common rom >hc common 

5 air interface. Thai is. .okens generated from the same fingerprint a, efferent .mprcss.ons 

o ,e PCPD .01 -in vary a, merely "I*"" °' 

: „, enable tbe genera, ' varied tokens d.a. arc s « gfu..v .e,a, (1 ., e 

original fingcrprmt. The only thing tha, can be dune t S to u S e the exact same eg iy 
c " tared toko, 'to make il.cga, caU, bu, that can be easiiy detected. Thus ,. « poss,b,e ha. 

,0 iCem, or this .nvention can a.low any user .o use any wireless „e P ho„e ,o piace 



calls. 
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,n another use of the current tnvention. the identity or the user can be authenticated 
for the purpose of identifying the caller's persona, identity rather than merely the phono 
number Jm the eal.cr ininatcd the cal, - i.e. the source term.naMD. .n one em od.me.u o 
„ K present invention, a, step 3.9 (FIG. 3). thccailcr's persona, idenuty as determined by 
■he CAS 105 can be made available to the call control entity or the rcctpicnt of the call. 
Based on the prior knowledge of who the caUcr is (and no, just mere.y what phone number 
teller is eahing from, the ea„ recpten, may elce, to block the ca.. even after „ has been 
authenticated as being non-fraudulent at step 314. 

The current invention also provides a method for the identification of the caller 
(caller ID) originating the phone call. In recent years, caller ID technology (where the 

:::: j^- » — ^ » *» ^ 

•ecptent of the phone call in a manner that allows the recipient to screen h,s or her cal ) 
hTbccomc incLsing.y commonplace. In effect, ca,ler-ID a. practiced todays really 
: Ia,-1D (the ID of the caller's phone; and not really the persona, idenuty of the ca c 
Si* the present invention, wireless and tradition, wired phones that have the ^ 
capacity to capture/compare fingerprint informal and communicate w,th an MSG for 
authorization can a.low the caller to be personal.y identified (rather than s.mply the caller 
phone number ) to the cal. control entity or the recipient for call screening or other 
Plication purposes. Indeed, both the ca.ler-lD and the termina.-ID can be jointly 
authenticated for an even higher level of security in phone networks. 

As mentioned! the technology described herein may be employed in contexts other 
than cellular telephone systems. For example, the invention may be employed to ensure 
Ire access to a vehic.e with a wireless security system. Many automobiles now employ 
} wireless systems to allow remote control of door locking, automotive alarm systems 
'Hehlinn etc. within the automobile. When the owner approaches his or her car, he or she 
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can unlock the car doors or activate/inactivate other car systems before actually reaching the 
car This is accomplished with the click of a button on a wireless control module. 
Unfortunately, if such a module falls into the hands of a thief (or if the wireless signal is 
illegally captured through the air and decoded), he may be able lo circumvent the car's 
security mcchanism(s) and obtain control of the car. The present invention provides a 
mechanism to protect against this possibility. 

Wireless car security systems of this invention may employ a wireless control 
module (source) containing the logic necessary for capturing and transmitting a token based 
upon a user's fingerprint. The logic may be contained within a module as described above 
with reference to FCPD 101. Generally, the vehicle itself may provide most of the 
functionality described above with reference to CAS 106. Of course, it need not proy.de 
access to a PSTN or database 107. However, it should include a finger print token or the 
cur operator and possibly multiple recently received tokens so that access may be blocked if 
the token exactly matches a received token. 

The vehicle protection mechanism of this invention may operate as follows. First. 
lhc system on board the vehicle determines that a request for access lo the vehicle has been 
initialed from a wireless source. Next, the vehicle system determines whether the source 
fin.crpri.it data provided at the wireless source matches stored fingerprint data provided tor 
tlJvchiclc Access to the vehicle is then permitted (e.g.. car doors are unlocked) .f the 
source fingerprint data matches the stored fingerprint dala. In some embodiments, the 
wireless source may prompt its user for a fingerprint from which to generate the source 
fingerprint data. 

In especially preferred embodiments, a full challenge-response protocol as 
described above with reference to Figures 3A and 3B is employed. This may involve 
venerating an encrypted challenge from a challenge and a token based on the fingerprint 
data stored with the automobile. Then, the encrypted challenge and the stored fingerprint 
token are sent to the source where the stored and source fingerprints are compared. If Ihey 
match one of the fingerprints is used to decrypt the encrypted challenged. The. now 
decrypted challenge and the source fingerprint data are then senl back lo the automobile 
where the decrypted challenge is confirmed and the source and stored fingerprints are aga.n 
compared. If all tests arc passed, access lo the automobile is permitted. 

While ihc present invention has been described in icrms or a preferred embodiment 
and certain variations thereof. Ihc scope should not be limited to the specifics presented 
above For example, while the system of this invention has been described as mclud.ng a 
central authentication system separated from a mobile switching center by a pubhc switched 
telephone network, the invention may be implemented by providing the central 
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auurcnticauon system within the mobile switching center. In this ease, it may be necessary . 
lo prov.de a mechanism for regularly updating the authentication system at each mobile 
switch^ center. Further, the invention may be advantageously employed ,n systems that 
do not employ a secret key. Importantly, the invention may re.y on biometric informauon 
i other than fingerprints. Examples of such alternative biometric information include, but am 
' „ot limited to. a user's vo.ee. persona, information, photograph, hand shape, and retina. 

Many similar variations on the above-described preferred embodiment, may be 
employed. Therefore, the invention should be broadly interpreted with reference to the 
following claims. 

10 



OCIQ <WO 9811750A3_IB> 



22 



WO 98/11750 



PCTAJS97/16094 



15 



M>hnt is cta iiH<'<l 

, . A method for uulhenltcating a call lo be made over a communication system, 
li" Zc in" s ~ — ««*n*» — """ kl " 1 lr "'" saK ' 

,0 allowing said call vo be completed. 

2 . The method of claim I . when*, the communication system forms at least 
part of a wireless telephone network. 

3 flic method or clatm 2. where, ,h= call inma.cd t««n the source may be 
forwarded through any of a plum.il, of mobile swtlching cenler.s. 

4 . The method of claim 2, wherein said source ,s a mobile cellular lelephone. 

5 T.,c mclhod of claim 4. wherem dclermining that a cai, is ^J*** 
neludcs delecJ " ,ran Sm ,ss,on of al ieasl oncof a mobiic tdenltfication number (M.N, and 
'^Z^ number (ESN) dialed w„h ,hc mobiie celluiar lelepbone. 

6 . The mclhod of claim .5 further comprising confirming that said at least one 
M of the MLN and the ESN is valid. 

7 The method of claim i further comprising: 

requesting that said source fingerprint data be provided from the source of 

said call. 

8 . Themethodof claim wherem said fingerprint data is provided in an mter- 
minuttac distance- vector-derived format. 

q The mclhod of claim I , further comprising: 

^ P t,ng a challenge w.th the stored fin g crprint data to produce an 

enc^tedchallen^and ^ ^ ^ ^ ^ ^ ^ purpose of 

decrypting by the source with the source fingerprint data. 
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1 0. The method of claim 9. wherein the step of determining whether the source 
and stored fingerprint data match comprises: 

. receiving a decrypted challenge from said source, which decrypted 
5 challenge has been decrypted with the source fingerprint data; and 

comparing the challenge with the decrypted challenge from the source. 

11. The method of claim 1 . further comprising: 

determining whether the source fingerprint data is identical lo one or more 
10 instances of sample fingerprint data previously received; and 

if the source and any one of the instances of the sample fingerprint data arc 
identical, preventing the call from being completed. 

12. The method of claim 1, where the fingerprint data is provided in a 
15 timcstamp. 

13. A method for accessing a vehicle with a wireless security system, the 

method comprising: 

(a) determining that a request Tor access to the vehicle has been initiated 

20 from a wireless source; 

(b) determining whether source fingerprint data provided at said wireless 

source matches stored fingerprint data provided for the vehicle; and 

(c) if said source fingerprint data matches said stored fingerprint data, 

allowing access to the vehicle. 



25 



14. The method of claim 13, further comprising prompting a user of said 
wireless source for a fingerprint from which to generate the source fingerprint data. 

1 5. The method of claim 13, wherein the stored fingerprint data is stored in the 

30 vehicle. 

1 6. The method of claim 13, wherein the vehicle is a car and allowing access to 
the car comprises unlocking the car. 



35 



17. A method for authenticating a call to be made over a communication system. 

the method comprising: 

(a) transmitting a dialed number to a switching center on said 

communicalion network; 
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(b) receiving a user s fingerprint: 

(c) ocmrratinc source fingerprint data from said user's fingerprint: and 

( d) If the source fingerprint data matches stored fingerprint data assorted 
wiih user, completing ihc call. 

5 l8 . ' The method or claim 17, wherein the communication system forms at least a" 

part of a wireless telephone network. 

I 9 . The method of cla.m IS. wherein (a) through (d) are performed by a mobile 
10 cellular telephone. 

n Q The method of chum 17, further comprising: 

" ' transmitting at least one of a M1N and an ESN to said switching center. 
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21. • The method of claim 17. further comprising 
prompting the user to provide a fingerprint. 



The method of claim .7. wherein generating source fingerprint data 
provldc ;;hc source fingerprint data in a format comprising inter-m.nutiae d.stanee-vccto,- 
20 derived information. 

91 The method of claim 1 7. further comprising: 

dlrm.nmg whether the source fingerprint data matches the stored 
fingerprint data prior to completing the call. 

24 . The method of claim 23. wherein the stored fingerprint data is provided 
from a database on a public switched telephone network. 

25 The method of claim 17, further comprising: 

receiving an encrypted challenge from the switching center; 

decrypting the encrypted challenge with the source fingerprint data to 
produce a decrypted challenge; and 

P transmitting said decrypted challenge to the switching center, such thai : the 

decrypted challenge is found to match an unencrypted challenge, specifying that the source 
35 fingerprint data matches the stored fingerprint data. 

26 The method of claim .7, wherein generating source fingerprint data 
provides the source fingerprint data in a format comprising a timcstamp. 
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07 A wireless communication device capable of rendering wireless 
communications secure by requiring biometric information from a user, the dcv.ee 

comprising: 

5 (a) a wireless communications interface for sending and receiving w.rclcss 

communications; 

(b) a device for capturing the user's fingerprint; and 

(c) a processing device capable or converting the user's fingerprint .0 
source fingerprint data which can be transmitted. 



10 



28. The device of claim 27. wherein the device is a wireless telephone. 



29 The device of claim 28, wherein the wireless telephone includes a casing 
and provided within said casing are the dev.ee for capturing the user's fingerprint and the 
15 processing device. 

30. The device of claim 27, wherein the wireless communications interface is 
capable of sending the source fingerprint data to a remote location. 

31 The dcv.ee or claim 30, wherein the wireless communications interface is 
* capable of sending and receiving fingerprint data over a data channel which operates at a 
different frequency from a communications channel which sends and receives the wireless 

communications. 

25 32. The device of claim 27. wherein, the device for capturing the user's 

fingerprint includes; 

a fingerprint capture surface on which the user can place his or her finger, to 

produce an optical' image of the user's fingerprint; 

an imager capable of generating an electronic image of the user's fingerprint; 



30 and 



• optics for directing the optical image of the user's fingerprint from the finger 
print capture surface to the imager. 

33. The device of claim 32, wherein the imager is selected from the group 
35 co.1sisli.1g of CCD arrays and CMOS pholodiodc/photogatc arrays. 

34 The device of claim 33, wherein the imager is a CMOS 
photodiode/photogate array which is provided on an integrated circuit together w.th the 
processing device. 
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35 The device of claim 27, wherein ihc device Tor capturing the user's 
fingerprint is a capacitor array formed on a semiconductor substrate or an ultrasonic 
mechanism formed on a semiconductor substrate. 

36. ' The device of claim 27. wherein the processing device is a CPU. 

. 37 The device of claim 27. wherein the processing device is capable of 
comparing the source fingerprint data w.th stored fingerprint data received from a remote 
LL. whereby when the source and stored fingerprint data are tound to match, the 
device allows a communication to proceed. 

38. The device of claim 37, wherein the processing device ,s capable of 
decrypting a challenge received from said remote location. 

39 A central authentication system connected to a communications network and 
capable of rendering wireless communications secure by processing biometr.c information 

rmm -i user ihc device comprising: 

C:l ) a communications interface for sending and ,ccc,v,ng data 

on communications over said communications network; 

(b ) a database interface for accessing a database containing stored 
fingerprint data associated with users of wireless communications devices; and 

(c) a processor capable of determining whether a wireless communication 
from a wireless communications device should be permitted based upon a match between a 
fingerprint taken from said wireless communications device and stored fingerprint data 
associated the wireless communications device. 

40. The central authentication system of claim 39, wherein the communications 
interface is coupled to a public switched telephone network. 

41 The central authentication system of claim 40, wherein the data 
communications are directed to one or more mobile switching centers. 

42 The central authentication system of claim 39. wherein the database 
includes for at least one of said wireless communications devices, a plurality of received 
iokens containing information from fingerprints taken at said wireless communications 
device. 
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43 The central authentication system of claim 42. wherein the processor is 
capable of comparing a newly received token from a given wireless communication device" 
with said plurality or tokens lor said given wireless communications device. 

5 44 The central authentication system of claim 39. wherein the processor is 

capable of generating an encrypted challenge by encrypting a challenge with a token 
containing said stored ringciprint data. 

45 The central authentication system of claim 39, further comprising a memory 
,0 which persistently stores a program allowing the processor to determine whether wireless 

communications from the wireless communications devices should be permuted. 

46 The central authentication system of claim 45, wherein the memory can 
store a challenge and a decrypted challenge so that the processor can determine whether the 

15 challenge and the decrypted challenge match. 
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